MessageIdVersionQualifiersLevelTaskOpcodeKeywordsRecordIdProviderNameProviderIdLogNameProcessIdThreadIdMachineNameUserIdTimeCreatedActivityIdRelatedActivityIdContainerLogMatchedQueryIdsBookmarkLevelDisplayNameOpcodeDisplayNameTaskDisplayNameKeywordsDisplayNamesProperties
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617608Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 10:22:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617607Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 10:22:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: Admin Account Domain: N-H1-858383-10 Logon ID: 0x2A392 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x10c0 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe479900138260-921436483760003481617606Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 10:22:55 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 092da5ec-03c9-46ee-b638-7f74299d15a7 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481617605Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 10:22:53 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: 092da5ec-03c9-46ee-b638-7f74299d15a7 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\7c0716aca5783122b8c98496c5201d00_ed954c31-dfcf-4e3d-96ad-f23d2622b4cd Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481617604Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 10:22:53 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x67C676 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617603Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 10:22:40 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4097818027-1170704307-4129224333-1478987481 Account Name: F43FBDAB-87B3-45C7-8DF6-1EF6D98E2758 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66C8BA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617602Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 10:22:25 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x67C676 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C30079DC-2A54-3B58-01D5-4EEAC371F87E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 59511 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617601Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:22:25 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x67C676 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617600Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:22:25 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4097818027-1170704307-4129224333-1478987481 Account Name: F43FBDAB-87B3-45C7-8DF6-1EF6D98E2758 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x679073 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617599Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:22:22 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4097818027-1170704307-4129224333-1478987481 Account Name: F43FBDAB-87B3-45C7-8DF6-1EF6D98E2758 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x679073 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617598Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:22:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4097818027-1170704307-4129224333-1478987481 Account Name: F43FBDAB-87B3-45C7-8DF6-1EF6D98E2758 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x679073 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617597Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:22:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F43FBDAB-87B3-45C7-8DF6-1EF6D98E2758 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617596Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:22:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x66C25B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617595Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 10:20:39 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4097818027-1170704307-4129224333-1478987481 Account Name: F43FBDAB-87B3-45C7-8DF6-1EF6D98E2758 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6709F7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617594Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 10:20:38 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4097818027-1170704307-4129224333-1478987481 Account Name: F43FBDAB-87B3-45C7-8DF6-1EF6D98E2758 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6709F7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617593Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 10:20:38 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4097818027-1170704307-4129224333-1478987481 Account Name: F43FBDAB-87B3-45C7-8DF6-1EF6D98E2758 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6709F7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617592Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 10:20:38 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F43FBDAB-87B3-45C7-8DF6-1EF6D98E2758 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617591Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 10:20:38 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4097818027-1170704307-4129224333-1478987481 Account Name: F43FBDAB-87B3-45C7-8DF6-1EF6D98E2758 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66D5C6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617590Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 10:20:32 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4097818027-1170704307-4129224333-1478987481 Account Name: F43FBDAB-87B3-45C7-8DF6-1EF6D98E2758 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66D5C6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617589Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 10:20:32 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4097818027-1170704307-4129224333-1478987481 Account Name: F43FBDAB-87B3-45C7-8DF6-1EF6D98E2758 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66D5C6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617588Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 10:20:32 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F43FBDAB-87B3-45C7-8DF6-1EF6D98E2758 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617587Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 10:20:32 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4097818027-1170704307-4129224333-1478987481 Account Name: F43FBDAB-87B3-45C7-8DF6-1EF6D98E2758 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66C76E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617586Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 10:20:31 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4097818027-1170704307-4129224333-1478987481 Account Name: F43FBDAB-87B3-45C7-8DF6-1EF6D98E2758 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66C8BA Privileges: SeImpersonatePrivilege467200125480-921436483760003481617585Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 10:20:31 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4097818027-1170704307-4129224333-1478987481 Account Name: F43FBDAB-87B3-45C7-8DF6-1EF6D98E2758 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66C8BA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617584Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 10:20:31 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F43FBDAB-87B3-45C7-8DF6-1EF6D98E2758 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617583Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 10:20:31 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4097818027-1170704307-4129224333-1478987481 Account Name: F43FBDAB-87B3-45C7-8DF6-1EF6D98E2758 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66C85D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617582Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 10:20:31 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4097818027-1170704307-4129224333-1478987481 Account Name: F43FBDAB-87B3-45C7-8DF6-1EF6D98E2758 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66C85D Privileges: SeImpersonatePrivilege467200125480-921436483760003481617581Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 10:20:31 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4097818027-1170704307-4129224333-1478987481 Account Name: F43FBDAB-87B3-45C7-8DF6-1EF6D98E2758 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66C85D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617580Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 10:20:31 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F43FBDAB-87B3-45C7-8DF6-1EF6D98E2758 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617579Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 10:20:31 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4097818027-1170704307-4129224333-1478987481 Account Name: F43FBDAB-87B3-45C7-8DF6-1EF6D98E2758 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66C814 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617578Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:20:31 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4097818027-1170704307-4129224333-1478987481 Account Name: F43FBDAB-87B3-45C7-8DF6-1EF6D98E2758 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66C814 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617577Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:20:31 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4097818027-1170704307-4129224333-1478987481 Account Name: F43FBDAB-87B3-45C7-8DF6-1EF6D98E2758 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66C814 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617576Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:20:31 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F43FBDAB-87B3-45C7-8DF6-1EF6D98E2758 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617575Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:20:31 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4097818027-1170704307-4129224333-1478987481 Account Name: F43FBDAB-87B3-45C7-8DF6-1EF6D98E2758 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66C76E Privileges: SeImpersonatePrivilege467200125480-921436483760003481617574Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:20:31 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4097818027-1170704307-4129224333-1478987481 Account Name: F43FBDAB-87B3-45C7-8DF6-1EF6D98E2758 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66C76E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617573Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:20:31 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F43FBDAB-87B3-45C7-8DF6-1EF6D98E2758 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617572Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:20:31 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x66C25B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C30079DC-2A54-3B58-01D5-4EEAC371F87E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 59504 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617571Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:20:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x66C25B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617570Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:20:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x6658BF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617569Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:18:36 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x6658BF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C30079DC-2A54-3B58-01D5-4EEAC371F87E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 59485 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617568Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:18:23 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x6658BF Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617567Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:18:23 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x65F7C0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617566Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:16:36 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x65F7C0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C30079DC-2A54-3B58-01D5-4EEAC371F87E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 59471 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617565Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:16:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x65F7C0 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617564Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:16:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x65979C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617563Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 10:14:31 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x65979C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C30079DC-2A54-3B58-01D5-4EEAC371F87E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 59447 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617562Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 10:14:21 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x65979C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617561Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 10:14:21 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1025495670-1080559827-1949374605-3406238581 Account Name: 3D1FD276-08D3-4068-8D18-3174751307CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x647259 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617560Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:12:49 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x64FAC2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617559Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:12:34 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x64FAC2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C30079DC-2A54-3B58-01D5-4EEAC371F87E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 59419 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617558Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 10:12:20 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x64FAC2 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617557Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 10:12:20 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1025495670-1080559827-1949374605-3406238581 Account Name: 3D1FD276-08D3-4068-8D18-3174751307CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64B634 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617556Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 10:11:32 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1025495670-1080559827-1949374605-3406238581 Account Name: 3D1FD276-08D3-4068-8D18-3174751307CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64B634 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617555Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 10:11:32 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1025495670-1080559827-1949374605-3406238581 Account Name: 3D1FD276-08D3-4068-8D18-3174751307CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64B634 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617554Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 10:11:32 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3D1FD276-08D3-4068-8D18-3174751307CB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617553Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 10:11:32 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1025495670-1080559827-1949374605-3406238581 Account Name: 3D1FD276-08D3-4068-8D18-3174751307CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x647F3E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617552Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 10:11:26 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1025495670-1080559827-1949374605-3406238581 Account Name: 3D1FD276-08D3-4068-8D18-3174751307CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x647F3E Privileges: SeImpersonatePrivilege467200125480-921436483760003481617551Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 10:11:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1025495670-1080559827-1949374605-3406238581 Account Name: 3D1FD276-08D3-4068-8D18-3174751307CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x647F3E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617550Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 10:11:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3D1FD276-08D3-4068-8D18-3174751307CB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617549Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 10:11:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1025495670-1080559827-1949374605-3406238581 Account Name: 3D1FD276-08D3-4068-8D18-3174751307CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x647111 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617548Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 10:11:25 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1025495670-1080559827-1949374605-3406238581 Account Name: 3D1FD276-08D3-4068-8D18-3174751307CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x647259 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617547Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 10:11:25 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1025495670-1080559827-1949374605-3406238581 Account Name: 3D1FD276-08D3-4068-8D18-3174751307CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x647259 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617546Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 10:11:25 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3D1FD276-08D3-4068-8D18-3174751307CB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617545Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 10:11:25 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1025495670-1080559827-1949374605-3406238581 Account Name: 3D1FD276-08D3-4068-8D18-3174751307CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x647200 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617544Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 10:11:25 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1025495670-1080559827-1949374605-3406238581 Account Name: 3D1FD276-08D3-4068-8D18-3174751307CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x647200 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617543Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 10:11:25 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1025495670-1080559827-1949374605-3406238581 Account Name: 3D1FD276-08D3-4068-8D18-3174751307CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x647200 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617542Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 10:11:25 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3D1FD276-08D3-4068-8D18-3174751307CB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617541Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 10:11:25 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1025495670-1080559827-1949374605-3406238581 Account Name: 3D1FD276-08D3-4068-8D18-3174751307CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6471B7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617540Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:11:25 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1025495670-1080559827-1949374605-3406238581 Account Name: 3D1FD276-08D3-4068-8D18-3174751307CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6471B7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617539Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:11:25 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1025495670-1080559827-1949374605-3406238581 Account Name: 3D1FD276-08D3-4068-8D18-3174751307CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6471B7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617538Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:11:25 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3D1FD276-08D3-4068-8D18-3174751307CB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617537Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:11:25 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1025495670-1080559827-1949374605-3406238581 Account Name: 3D1FD276-08D3-4068-8D18-3174751307CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x647111 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617536Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:11:25 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1025495670-1080559827-1949374605-3406238581 Account Name: 3D1FD276-08D3-4068-8D18-3174751307CB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x647111 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617535Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:11:25 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3D1FD276-08D3-4068-8D18-3174751307CB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617534Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:11:25 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x642CDC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617533Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 10:10:29 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x642CDC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C30079DC-2A54-3B58-01D5-4EEAC371F87E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 59402 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617532Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 10:10:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x642CDC Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617531Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 10:10:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x63C9BD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617530Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 10:08:32 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x63C9BD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C30079DC-2A54-3B58-01D5-4EEAC371F87E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 59386 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617529Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 10:08:18 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x63C9BD Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617528Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 10:08:18 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x636700 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617527Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:06:27 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x636700 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C30079DC-2A54-3B58-01D5-4EEAC371F87E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 59373 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617526Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:06:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x636700 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617525Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:06:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2766061347-1238329212-619359925-2319395576 Account Name: A4DEBF23-677C-49CF-B5AE-EA24F82A3F8A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62AC9B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617524Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:05:26 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x62A6EE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617523Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:05:02 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2766061347-1238329212-619359925-2319395576 Account Name: A4DEBF23-677C-49CF-B5AE-EA24F82A3F8A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62CBBD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617522Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:04:50 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2766061347-1238329212-619359925-2319395576 Account Name: A4DEBF23-677C-49CF-B5AE-EA24F82A3F8A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62CBBD Privileges: SeImpersonatePrivilege467200125480-921436483760003481617521Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:04:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2766061347-1238329212-619359925-2319395576 Account Name: A4DEBF23-677C-49CF-B5AE-EA24F82A3F8A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62CBBD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617520Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:04:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A4DEBF23-677C-49CF-B5AE-EA24F82A3F8A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617519Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:04:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2766061347-1238329212-619359925-2319395576 Account Name: A4DEBF23-677C-49CF-B5AE-EA24F82A3F8A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62B9AE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617518Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:04:50 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2766061347-1238329212-619359925-2319395576 Account Name: A4DEBF23-677C-49CF-B5AE-EA24F82A3F8A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62B9AE Privileges: SeImpersonatePrivilege467200125480-921436483760003481617517Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:04:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2766061347-1238329212-619359925-2319395576 Account Name: A4DEBF23-677C-49CF-B5AE-EA24F82A3F8A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62B9AE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617516Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:04:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A4DEBF23-677C-49CF-B5AE-EA24F82A3F8A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617515Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:04:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2766061347-1238329212-619359925-2319395576 Account Name: A4DEBF23-677C-49CF-B5AE-EA24F82A3F8A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62AADB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617514Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:04:50 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2766061347-1238329212-619359925-2319395576 Account Name: A4DEBF23-677C-49CF-B5AE-EA24F82A3F8A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62AC9B Privileges: SeImpersonatePrivilege467200125480-921436483760003481617513Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:04:49 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2766061347-1238329212-619359925-2319395576 Account Name: A4DEBF23-677C-49CF-B5AE-EA24F82A3F8A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62AC9B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617512Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:04:49 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A4DEBF23-677C-49CF-B5AE-EA24F82A3F8A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617511Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:04:49 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2766061347-1238329212-619359925-2319395576 Account Name: A4DEBF23-677C-49CF-B5AE-EA24F82A3F8A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62AC42 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617510Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:04:49 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2766061347-1238329212-619359925-2319395576 Account Name: A4DEBF23-677C-49CF-B5AE-EA24F82A3F8A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62AC42 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617509Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:04:49 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2766061347-1238329212-619359925-2319395576 Account Name: A4DEBF23-677C-49CF-B5AE-EA24F82A3F8A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62AC42 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617508Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:04:49 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A4DEBF23-677C-49CF-B5AE-EA24F82A3F8A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617507Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:04:49 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2766061347-1238329212-619359925-2319395576 Account Name: A4DEBF23-677C-49CF-B5AE-EA24F82A3F8A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62ABF9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617506Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 10:04:49 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2766061347-1238329212-619359925-2319395576 Account Name: A4DEBF23-677C-49CF-B5AE-EA24F82A3F8A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62ABF9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617505Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 10:04:49 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2766061347-1238329212-619359925-2319395576 Account Name: A4DEBF23-677C-49CF-B5AE-EA24F82A3F8A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62ABF9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617504Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 10:04:49 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A4DEBF23-677C-49CF-B5AE-EA24F82A3F8A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617503Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 10:04:49 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2766061347-1238329212-619359925-2319395576 Account Name: A4DEBF23-677C-49CF-B5AE-EA24F82A3F8A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62AADB Privileges: SeImpersonatePrivilege467200125480-921436483760003481617502Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 10:04:49 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2766061347-1238329212-619359925-2319395576 Account Name: A4DEBF23-677C-49CF-B5AE-EA24F82A3F8A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x62AADB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617501Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 10:04:49 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A4DEBF23-677C-49CF-B5AE-EA24F82A3F8A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617500Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 10:04:49 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x62A746 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617499Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 10:04:46 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x62A742 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617498Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 10:04:46 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x62A73F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617497Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 10:04:46 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x62A746 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-858383-10 Source Network Address: 10.222.0.13 Source Port: 59362 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617496Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 10:04:46 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x62A746 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617495Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 10:04:46 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x62A742 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-858383-10 Source Network Address: 10.222.0.13 Source Port: 59363 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617494Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:04:46 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x62A742 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617493Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:04:46 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x62A73F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-858383-10 Source Network Address: 10.222.0.13 Source Port: 59361 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617492Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 10:04:46 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x62A73F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617491Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 10:04:46 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x62A6EE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-858383-10 Source Network Address: 10.222.0.13 Source Port: 59360 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617490Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 10:04:46 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x62A6EE Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617489Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 10:04:46 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x627E94 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617488Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 10:04:31 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x627E94 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C30079DC-2A54-3B58-01D5-4EEAC371F87E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 59356 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617487Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 10:04:16 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x627E94 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617486Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 10:04:16 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3598028086-1178994082-3073093049-1300835144 Account Name: D6758D36-05A2-4646-B9AD-2BB7482B894D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x615367 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617485Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 10:03:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x61B058 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617484Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 10:02:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x61B058 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C30079DC-2A54-3B58-01D5-4EEAC371F87E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 59344 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617483Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 10:02:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x61B058 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617482Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 10:02:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3598028086-1178994082-3073093049-1300835144 Account Name: D6758D36-05A2-4646-B9AD-2BB7482B894D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6193B5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617481Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 10:02:03 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3598028086-1178994082-3073093049-1300835144 Account Name: D6758D36-05A2-4646-B9AD-2BB7482B894D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6193B5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617480Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 10:02:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3598028086-1178994082-3073093049-1300835144 Account Name: D6758D36-05A2-4646-B9AD-2BB7482B894D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6193B5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617479Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 10:02:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D6758D36-05A2-4646-B9AD-2BB7482B894D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617478Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 10:02:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3598028086-1178994082-3073093049-1300835144 Account Name: D6758D36-05A2-4646-B9AD-2BB7482B894D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x616074 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617477Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 10:01:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3598028086-1178994082-3073093049-1300835144 Account Name: D6758D36-05A2-4646-B9AD-2BB7482B894D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x616074 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617476Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 10:01:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3598028086-1178994082-3073093049-1300835144 Account Name: D6758D36-05A2-4646-B9AD-2BB7482B894D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x616074 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617475Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 10:01:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D6758D36-05A2-4646-B9AD-2BB7482B894D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617474Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 10:01:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3598028086-1178994082-3073093049-1300835144 Account Name: D6758D36-05A2-4646-B9AD-2BB7482B894D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61521F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617473Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 10:01:57 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3598028086-1178994082-3073093049-1300835144 Account Name: D6758D36-05A2-4646-B9AD-2BB7482B894D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x615367 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617472Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 10:01:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3598028086-1178994082-3073093049-1300835144 Account Name: D6758D36-05A2-4646-B9AD-2BB7482B894D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x615367 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617471Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 10:01:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D6758D36-05A2-4646-B9AD-2BB7482B894D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617470Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 10:01:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3598028086-1178994082-3073093049-1300835144 Account Name: D6758D36-05A2-4646-B9AD-2BB7482B894D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61530E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617469Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 10:01:57 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3598028086-1178994082-3073093049-1300835144 Account Name: D6758D36-05A2-4646-B9AD-2BB7482B894D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61530E Privileges: SeImpersonatePrivilege467200125480-921436483760003481617468Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 10:01:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3598028086-1178994082-3073093049-1300835144 Account Name: D6758D36-05A2-4646-B9AD-2BB7482B894D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61530E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617467Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 10:01:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D6758D36-05A2-4646-B9AD-2BB7482B894D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617466Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 10:01:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3598028086-1178994082-3073093049-1300835144 Account Name: D6758D36-05A2-4646-B9AD-2BB7482B894D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6152C5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617465Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:01:57 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3598028086-1178994082-3073093049-1300835144 Account Name: D6758D36-05A2-4646-B9AD-2BB7482B894D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6152C5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617464Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:01:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3598028086-1178994082-3073093049-1300835144 Account Name: D6758D36-05A2-4646-B9AD-2BB7482B894D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6152C5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617463Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:01:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D6758D36-05A2-4646-B9AD-2BB7482B894D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617462Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:01:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3598028086-1178994082-3073093049-1300835144 Account Name: D6758D36-05A2-4646-B9AD-2BB7482B894D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61521F Privileges: SeImpersonatePrivilege467200125480-921436483760003481617461Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:01:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3598028086-1178994082-3073093049-1300835144 Account Name: D6758D36-05A2-4646-B9AD-2BB7482B894D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61521F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617460Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:01:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D6758D36-05A2-4646-B9AD-2BB7482B894D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617459Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 10:01:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x60EB2D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617458Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 10:00:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x60EB2D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C30079DC-2A54-3B58-01D5-4EEAC371F87E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 59326 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617457Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 10:00:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x60EB2D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617456Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 10:00:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x608A90 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617455Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:58:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x608A90 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C30079DC-2A54-3B58-01D5-4EEAC371F87E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 59303 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617454Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:58:13 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x608A90 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617453Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:58:13 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x602A8E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617452Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:56:27 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x602A8E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C30079DC-2A54-3B58-01D5-4EEAC371F87E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 59293 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617451Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:56:12 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x602A8E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617450Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:56:12 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5FC089 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617449Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:54:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x5FC089 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C30079DC-2A54-3B58-01D5-4EEAC371F87E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 59275 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617448Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:54:11 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5FC089 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617447Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:54:11 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5F5AF1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617446Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:52:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x5F5AF1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C30079DC-2A54-3B58-01D5-4EEAC371F87E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 59219 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617445Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:52:10 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5F5AF1 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617444Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:52:10 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2530051800-1144111190-946329006-3673432962 Account Name: 96CD86D8-C056-4431-AED5-67388223F4DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E9E73 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617443Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:51:27 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2530051800-1144111190-946329006-3673432962 Account Name: 96CD86D8-C056-4431-AED5-67388223F4DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5EEEAF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617442Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:51:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2530051800-1144111190-946329006-3673432962 Account Name: 96CD86D8-C056-4431-AED5-67388223F4DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5EEEAF Privileges: SeImpersonatePrivilege467200125480-921436483760003481617441Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:51:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2530051800-1144111190-946329006-3673432962 Account Name: 96CD86D8-C056-4431-AED5-67388223F4DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5EEEAF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617440Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:51:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 96CD86D8-C056-4431-AED5-67388223F4DA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617439Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:51:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2530051800-1144111190-946329006-3673432962 Account Name: 96CD86D8-C056-4431-AED5-67388223F4DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5EAB83 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617438Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:51:17 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2530051800-1144111190-946329006-3673432962 Account Name: 96CD86D8-C056-4431-AED5-67388223F4DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5EAB83 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617437Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:51:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2530051800-1144111190-946329006-3673432962 Account Name: 96CD86D8-C056-4431-AED5-67388223F4DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5EAB83 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617436Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:51:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 96CD86D8-C056-4431-AED5-67388223F4DA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617435Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:51:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2530051800-1144111190-946329006-3673432962 Account Name: 96CD86D8-C056-4431-AED5-67388223F4DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E9D2B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617434Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:51:17 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2530051800-1144111190-946329006-3673432962 Account Name: 96CD86D8-C056-4431-AED5-67388223F4DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E9E73 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617433Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:51:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2530051800-1144111190-946329006-3673432962 Account Name: 96CD86D8-C056-4431-AED5-67388223F4DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E9E73 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617432Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:51:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 96CD86D8-C056-4431-AED5-67388223F4DA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617431Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:51:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2530051800-1144111190-946329006-3673432962 Account Name: 96CD86D8-C056-4431-AED5-67388223F4DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E9E1A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617430Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:51:17 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2530051800-1144111190-946329006-3673432962 Account Name: 96CD86D8-C056-4431-AED5-67388223F4DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E9E1A Privileges: SeImpersonatePrivilege467200125480-921436483760003481617429Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:51:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2530051800-1144111190-946329006-3673432962 Account Name: 96CD86D8-C056-4431-AED5-67388223F4DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E9E1A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617428Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:51:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 96CD86D8-C056-4431-AED5-67388223F4DA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617427Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:51:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2530051800-1144111190-946329006-3673432962 Account Name: 96CD86D8-C056-4431-AED5-67388223F4DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E9DD1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617426Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:51:17 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2530051800-1144111190-946329006-3673432962 Account Name: 96CD86D8-C056-4431-AED5-67388223F4DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E9DD1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617425Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:51:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2530051800-1144111190-946329006-3673432962 Account Name: 96CD86D8-C056-4431-AED5-67388223F4DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E9DD1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617424Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:51:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 96CD86D8-C056-4431-AED5-67388223F4DA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617423Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:51:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2530051800-1144111190-946329006-3673432962 Account Name: 96CD86D8-C056-4431-AED5-67388223F4DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E9D2B Privileges: SeImpersonatePrivilege467200125480-921436483760003481617422Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:51:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2530051800-1144111190-946329006-3673432962 Account Name: 96CD86D8-C056-4431-AED5-67388223F4DA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E9D2B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617421Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:51:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 96CD86D8-C056-4431-AED5-67388223F4DA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617420Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:51:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5DC34F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617419Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:50:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5DA797 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617418Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:50:19 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2799973632-1158182064-3469216912-2427527286 Account Name: A6E43500-74B0-4508-900C-C8CE7620B190 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DB025 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617417Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:50:19 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2799973632-1158182064-3469216912-2427527286 Account Name: A6E43500-74B0-4508-900C-C8CE7620B190 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DECE6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617416Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:50:15 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2799973632-1158182064-3469216912-2427527286 Account Name: A6E43500-74B0-4508-900C-C8CE7620B190 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DECE6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617415Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:50:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2799973632-1158182064-3469216912-2427527286 Account Name: A6E43500-74B0-4508-900C-C8CE7620B190 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DECE6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617414Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:50:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A6E43500-74B0-4508-900C-C8CE7620B190 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617413Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:50:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2799973632-1158182064-3469216912-2427527286 Account Name: A6E43500-74B0-4508-900C-C8CE7620B190 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DD8BB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617412Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:50:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2799973632-1158182064-3469216912-2427527286 Account Name: A6E43500-74B0-4508-900C-C8CE7620B190 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DD8BB Privileges: SeImpersonatePrivilege467200125480-921436483760003481617411Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:50:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2799973632-1158182064-3469216912-2427527286 Account Name: A6E43500-74B0-4508-900C-C8CE7620B190 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DD8BB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617410Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:50:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A6E43500-74B0-4508-900C-C8CE7620B190 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617409Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:50:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x5DC34F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C30079DC-2A54-3B58-01D5-4EEAC371F87E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 59191 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617408Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:50:09 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5DC34F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617407Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:50:09 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2799973632-1158182064-3469216912-2427527286 Account Name: A6E43500-74B0-4508-900C-C8CE7620B190 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DBDB2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617406Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:50:09 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2799973632-1158182064-3469216912-2427527286 Account Name: A6E43500-74B0-4508-900C-C8CE7620B190 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DBDB2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617405Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:50:09 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2799973632-1158182064-3469216912-2427527286 Account Name: A6E43500-74B0-4508-900C-C8CE7620B190 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DBDB2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617404Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:50:09 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A6E43500-74B0-4508-900C-C8CE7620B190 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617403Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:50:09 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2799973632-1158182064-3469216912-2427527286 Account Name: A6E43500-74B0-4508-900C-C8CE7620B190 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DAEDD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617402Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:50:08 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2799973632-1158182064-3469216912-2427527286 Account Name: A6E43500-74B0-4508-900C-C8CE7620B190 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DB025 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617401Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:50:08 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2799973632-1158182064-3469216912-2427527286 Account Name: A6E43500-74B0-4508-900C-C8CE7620B190 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DB025 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617400Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:50:08 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A6E43500-74B0-4508-900C-C8CE7620B190 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617399Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:50:08 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2799973632-1158182064-3469216912-2427527286 Account Name: A6E43500-74B0-4508-900C-C8CE7620B190 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DAFCC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617398Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:50:08 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2799973632-1158182064-3469216912-2427527286 Account Name: A6E43500-74B0-4508-900C-C8CE7620B190 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DAFCC Privileges: SeImpersonatePrivilege467200125480-921436483760003481617397Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:50:08 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2799973632-1158182064-3469216912-2427527286 Account Name: A6E43500-74B0-4508-900C-C8CE7620B190 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DAFCC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617396Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:50:08 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A6E43500-74B0-4508-900C-C8CE7620B190 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617395Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:50:08 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2799973632-1158182064-3469216912-2427527286 Account Name: A6E43500-74B0-4508-900C-C8CE7620B190 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DAF83 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617394Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:50:08 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2799973632-1158182064-3469216912-2427527286 Account Name: A6E43500-74B0-4508-900C-C8CE7620B190 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DAF83 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617393Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:50:08 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2799973632-1158182064-3469216912-2427527286 Account Name: A6E43500-74B0-4508-900C-C8CE7620B190 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DAF83 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617392Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:50:08 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A6E43500-74B0-4508-900C-C8CE7620B190 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617391Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:50:08 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2799973632-1158182064-3469216912-2427527286 Account Name: A6E43500-74B0-4508-900C-C8CE7620B190 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DAEDD Privileges: SeImpersonatePrivilege467200125480-921436483760003481617390Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:50:08 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2799973632-1158182064-3469216912-2427527286 Account Name: A6E43500-74B0-4508-900C-C8CE7620B190 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DAEDD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617389Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:50:08 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A6E43500-74B0-4508-900C-C8CE7620B190 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617388Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:50:08 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5DA7DE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617387Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:49:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5DA7E1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617386Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:49:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5DA7DE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-858383-10 Source Network Address: 10.222.0.13 Source Port: 59185 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617385Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:49:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5DA7DE Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617384Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:49:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5DA7E0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617383Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:49:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5DA7E1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-858383-10 Source Network Address: 10.222.0.13 Source Port: 59187 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617382Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:49:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5DA7E1 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617381Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:49:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5DA7E0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-858383-10 Source Network Address: 10.222.0.13 Source Port: 59186 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617380Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:49:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5DA7E0 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617379Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:49:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5DA797 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-858383-10 Source Network Address: 10.222.0.13 Source Port: 59184 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617378Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:49:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5DA797 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617377Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:49:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5CD886 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617376Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:48:35 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1460516452-1244702462-266581637-3185529864 Account Name: 570DB664-A6FE-4A30-85B6-E30F0854DFBD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CDE0A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617375Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:48:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1460516452-1244702462-266581637-3185529864 Account Name: 570DB664-A6FE-4A30-85B6-E30F0854DFBD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CFE4F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617374Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:48:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1460516452-1244702462-266581637-3185529864 Account Name: 570DB664-A6FE-4A30-85B6-E30F0854DFBD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CFE4F Privileges: SeImpersonatePrivilege467200125480-921436483760003481617373Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:48:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1460516452-1244702462-266581637-3185529864 Account Name: 570DB664-A6FE-4A30-85B6-E30F0854DFBD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CFE4F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617372Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:48:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 570DB664-A6FE-4A30-85B6-E30F0854DFBD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617371Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:48:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1460516452-1244702462-266581637-3185529864 Account Name: 570DB664-A6FE-4A30-85B6-E30F0854DFBD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CEB14 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617370Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:48:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1460516452-1244702462-266581637-3185529864 Account Name: 570DB664-A6FE-4A30-85B6-E30F0854DFBD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CEB14 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617369Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:48:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1460516452-1244702462-266581637-3185529864 Account Name: 570DB664-A6FE-4A30-85B6-E30F0854DFBD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CEB14 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617368Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:48:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 570DB664-A6FE-4A30-85B6-E30F0854DFBD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617367Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:48:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1460516452-1244702462-266581637-3185529864 Account Name: 570DB664-A6FE-4A30-85B6-E30F0854DFBD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CDCC2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617366Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:48:23 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1460516452-1244702462-266581637-3185529864 Account Name: 570DB664-A6FE-4A30-85B6-E30F0854DFBD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CDE0A Privileges: SeImpersonatePrivilege467200125480-921436483760003481617365Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:48:23 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1460516452-1244702462-266581637-3185529864 Account Name: 570DB664-A6FE-4A30-85B6-E30F0854DFBD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CDE0A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617364Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:48:23 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 570DB664-A6FE-4A30-85B6-E30F0854DFBD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617363Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:48:23 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1460516452-1244702462-266581637-3185529864 Account Name: 570DB664-A6FE-4A30-85B6-E30F0854DFBD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CDDB1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617362Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:48:23 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1460516452-1244702462-266581637-3185529864 Account Name: 570DB664-A6FE-4A30-85B6-E30F0854DFBD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CDDB1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617361Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:48:23 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1460516452-1244702462-266581637-3185529864 Account Name: 570DB664-A6FE-4A30-85B6-E30F0854DFBD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CDDB1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617360Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:48:23 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 570DB664-A6FE-4A30-85B6-E30F0854DFBD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617359Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:48:23 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1460516452-1244702462-266581637-3185529864 Account Name: 570DB664-A6FE-4A30-85B6-E30F0854DFBD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CDD68 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617358Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:48:23 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1460516452-1244702462-266581637-3185529864 Account Name: 570DB664-A6FE-4A30-85B6-E30F0854DFBD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CDD68 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617357Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:48:23 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1460516452-1244702462-266581637-3185529864 Account Name: 570DB664-A6FE-4A30-85B6-E30F0854DFBD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CDD68 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617356Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:48:23 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 570DB664-A6FE-4A30-85B6-E30F0854DFBD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617355Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:48:23 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1460516452-1244702462-266581637-3185529864 Account Name: 570DB664-A6FE-4A30-85B6-E30F0854DFBD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CDCC2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617354Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:48:23 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1460516452-1244702462-266581637-3185529864 Account Name: 570DB664-A6FE-4A30-85B6-E30F0854DFBD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5CDCC2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617353Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:48:23 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 570DB664-A6FE-4A30-85B6-E30F0854DFBD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617352Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:48:23 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5CD920 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617351Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:48:19 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5CD91B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617350Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:48:19 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5CD919 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617349Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:48:19 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5CD920 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-858383-10 Source Network Address: 10.222.0.13 Source Port: 59158 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617348Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:48:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5CD920 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617347Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:48:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5CD91B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-858383-10 Source Network Address: 10.222.0.13 Source Port: 59157 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617346Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:48:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5CD91B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617345Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:48:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5CD919 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-858383-10 Source Network Address: 10.222.0.13 Source Port: 59156 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617344Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:48:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5CD919 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617343Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:48:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5CC2DD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617342Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:48:19 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5CD886 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-858383-10 Source Network Address: 10.222.0.13 Source Port: 59155 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617341Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:48:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5CD886 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617340Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:48:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x5CC2DD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C30079DC-2A54-3B58-01D5-4EEAC371F87E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 59154 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617339Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:48:08 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5CC2DD Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617338Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:48:08 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5C0619 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617337Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:47:15 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2851921133-1264393485-222019482-3712616507 Account Name: A9FCDCED-1D0D-4B5D-9ABF-3B0D3B084ADD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C0B62 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617336Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:47:10 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2851921133-1264393485-222019482-3712616507 Account Name: A9FCDCED-1D0D-4B5D-9ABF-3B0D3B084ADD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C2BA3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617335Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:47:03 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2851921133-1264393485-222019482-3712616507 Account Name: A9FCDCED-1D0D-4B5D-9ABF-3B0D3B084ADD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C2BA3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617334Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:47:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2851921133-1264393485-222019482-3712616507 Account Name: A9FCDCED-1D0D-4B5D-9ABF-3B0D3B084ADD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C2BA3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617333Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:47:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A9FCDCED-1D0D-4B5D-9ABF-3B0D3B084ADD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617332Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:47:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2851921133-1264393485-222019482-3712616507 Account Name: A9FCDCED-1D0D-4B5D-9ABF-3B0D3B084ADD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C1870 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617331Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:47:03 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2851921133-1264393485-222019482-3712616507 Account Name: A9FCDCED-1D0D-4B5D-9ABF-3B0D3B084ADD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C1870 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617330Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:47:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2851921133-1264393485-222019482-3712616507 Account Name: A9FCDCED-1D0D-4B5D-9ABF-3B0D3B084ADD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C1870 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617329Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:47:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A9FCDCED-1D0D-4B5D-9ABF-3B0D3B084ADD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617328Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:47:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2851921133-1264393485-222019482-3712616507 Account Name: A9FCDCED-1D0D-4B5D-9ABF-3B0D3B084ADD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C0A1A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617327Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:47:03 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2851921133-1264393485-222019482-3712616507 Account Name: A9FCDCED-1D0D-4B5D-9ABF-3B0D3B084ADD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C0B62 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617326Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:47:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2851921133-1264393485-222019482-3712616507 Account Name: A9FCDCED-1D0D-4B5D-9ABF-3B0D3B084ADD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C0B62 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617325Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:47:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A9FCDCED-1D0D-4B5D-9ABF-3B0D3B084ADD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617324Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:47:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2851921133-1264393485-222019482-3712616507 Account Name: A9FCDCED-1D0D-4B5D-9ABF-3B0D3B084ADD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C0B09 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617323Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:47:03 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2851921133-1264393485-222019482-3712616507 Account Name: A9FCDCED-1D0D-4B5D-9ABF-3B0D3B084ADD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C0B09 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617322Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:47:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2851921133-1264393485-222019482-3712616507 Account Name: A9FCDCED-1D0D-4B5D-9ABF-3B0D3B084ADD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C0B09 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617321Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:47:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A9FCDCED-1D0D-4B5D-9ABF-3B0D3B084ADD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617320Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:47:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2851921133-1264393485-222019482-3712616507 Account Name: A9FCDCED-1D0D-4B5D-9ABF-3B0D3B084ADD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C0AC0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617319Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:47:02 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2851921133-1264393485-222019482-3712616507 Account Name: A9FCDCED-1D0D-4B5D-9ABF-3B0D3B084ADD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C0AC0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617318Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:47:02 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2851921133-1264393485-222019482-3712616507 Account Name: A9FCDCED-1D0D-4B5D-9ABF-3B0D3B084ADD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C0AC0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617317Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:47:02 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A9FCDCED-1D0D-4B5D-9ABF-3B0D3B084ADD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617316Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:47:02 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2851921133-1264393485-222019482-3712616507 Account Name: A9FCDCED-1D0D-4B5D-9ABF-3B0D3B084ADD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C0A1A Privileges: SeImpersonatePrivilege467200125480-921436483760003481617315Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:47:02 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2851921133-1264393485-222019482-3712616507 Account Name: A9FCDCED-1D0D-4B5D-9ABF-3B0D3B084ADD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C0A1A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617314Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:47:02 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A9FCDCED-1D0D-4B5D-9ABF-3B0D3B084ADD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617313Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:47:02 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5C0673 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617312Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:46:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5C0661 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617311Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:46:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5C0660 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617310Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:46:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5C0661 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-858383-10 Source Network Address: 10.222.0.13 Source Port: 59142 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617309Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:46:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5C0661 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617308Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:46:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5C0673 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-858383-10 Source Network Address: 10.222.0.13 Source Port: 59143 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617307Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:46:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5C0673 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617306Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:46:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5C0660 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-858383-10 Source Network Address: 10.222.0.13 Source Port: 59141 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617305Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:46:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5C0660 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617304Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:46:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5C0619 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-858383-10 Source Network Address: 10.222.0.13 Source Port: 59140 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617303Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:46:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5C0619 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617302Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:46:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5BD384 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617301Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:46:19 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x5BD384 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C30079DC-2A54-3B58-01D5-4EEAC371F87E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 59136 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617300Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:46:07 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5BD384 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617299Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:46:07 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5B44F7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617298Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:45:52 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-280477111-1269430698-21815226-1744044391 Account Name: 10B7BDB7-F9AA-4BA9-BADF-4C016701F467 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B4A22 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617297Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:45:46 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-280477111-1269430698-21815226-1744044391 Account Name: 10B7BDB7-F9AA-4BA9-BADF-4C016701F467 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B6942 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617296Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:45:40 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-280477111-1269430698-21815226-1744044391 Account Name: 10B7BDB7-F9AA-4BA9-BADF-4C016701F467 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B6942 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617295Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:45:40 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-280477111-1269430698-21815226-1744044391 Account Name: 10B7BDB7-F9AA-4BA9-BADF-4C016701F467 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B6942 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617294Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:45:40 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 10B7BDB7-F9AA-4BA9-BADF-4C016701F467 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617293Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:45:40 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-280477111-1269430698-21815226-1744044391 Account Name: 10B7BDB7-F9AA-4BA9-BADF-4C016701F467 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B572B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617292Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:45:40 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-280477111-1269430698-21815226-1744044391 Account Name: 10B7BDB7-F9AA-4BA9-BADF-4C016701F467 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B572B Privileges: SeImpersonatePrivilege467200125480-921436483760003481617291Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:45:40 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-280477111-1269430698-21815226-1744044391 Account Name: 10B7BDB7-F9AA-4BA9-BADF-4C016701F467 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B572B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617290Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:45:40 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 10B7BDB7-F9AA-4BA9-BADF-4C016701F467 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617289Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:45:40 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-280477111-1269430698-21815226-1744044391 Account Name: 10B7BDB7-F9AA-4BA9-BADF-4C016701F467 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B48DA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617288Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:45:39 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-280477111-1269430698-21815226-1744044391 Account Name: 10B7BDB7-F9AA-4BA9-BADF-4C016701F467 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B4A22 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617287Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:45:39 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-280477111-1269430698-21815226-1744044391 Account Name: 10B7BDB7-F9AA-4BA9-BADF-4C016701F467 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B4A22 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617286Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:45:39 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 10B7BDB7-F9AA-4BA9-BADF-4C016701F467 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617285Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:45:39 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-280477111-1269430698-21815226-1744044391 Account Name: 10B7BDB7-F9AA-4BA9-BADF-4C016701F467 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B49C9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617284Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:45:39 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-280477111-1269430698-21815226-1744044391 Account Name: 10B7BDB7-F9AA-4BA9-BADF-4C016701F467 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B49C9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617283Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:45:39 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-280477111-1269430698-21815226-1744044391 Account Name: 10B7BDB7-F9AA-4BA9-BADF-4C016701F467 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B49C9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617282Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:45:39 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 10B7BDB7-F9AA-4BA9-BADF-4C016701F467 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617281Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:45:39 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-280477111-1269430698-21815226-1744044391 Account Name: 10B7BDB7-F9AA-4BA9-BADF-4C016701F467 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B4980 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617280Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:45:39 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-280477111-1269430698-21815226-1744044391 Account Name: 10B7BDB7-F9AA-4BA9-BADF-4C016701F467 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B4980 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617279Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:45:39 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-280477111-1269430698-21815226-1744044391 Account Name: 10B7BDB7-F9AA-4BA9-BADF-4C016701F467 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B4980 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617278Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:45:39 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 10B7BDB7-F9AA-4BA9-BADF-4C016701F467 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617277Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:45:39 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-280477111-1269430698-21815226-1744044391 Account Name: 10B7BDB7-F9AA-4BA9-BADF-4C016701F467 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B48DA Privileges: SeImpersonatePrivilege467200125480-921436483760003481617276Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:45:39 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-280477111-1269430698-21815226-1744044391 Account Name: 10B7BDB7-F9AA-4BA9-BADF-4C016701F467 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B48DA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617275Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:45:39 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 10B7BDB7-F9AA-4BA9-BADF-4C016701F467 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617274Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:45:39 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5B453F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617273Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:45:36 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5B453D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617272Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:45:36 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5B4550 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617271Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:45:36 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5B453F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-858383-10 Source Network Address: 10.222.0.13 Source Port: 59127 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617270Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:45:36 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5B453F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617269Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:45:36 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5B4550 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-858383-10 Source Network Address: 10.222.0.13 Source Port: 59128 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617268Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:45:36 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5B4550 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617267Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:45:36 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5B453D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-858383-10 Source Network Address: 10.222.0.13 Source Port: 59126 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617266Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:45:36 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5B453D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617265Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:45:36 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5B44F7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-858383-10 Source Network Address: 10.222.0.13 Source Port: 59125 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617264Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:45:36 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5B44F7 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617263Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:45:36 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5A675F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617262Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:44:23 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5A6741 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617261Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:44:19 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1767514716-1169983236-416932244-839021962 Account Name: 695A225C-8704-45BC-94E1-D9188A750232 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A6C98 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617260Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:44:17 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1767514716-1169983236-416932244-839021962 Account Name: 695A225C-8704-45BC-94E1-D9188A750232 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A8BBA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617259Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:44:11 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1767514716-1169983236-416932244-839021962 Account Name: 695A225C-8704-45BC-94E1-D9188A750232 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A8BBA Privileges: SeImpersonatePrivilege467200125480-921436483760003481617258Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:44:11 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1767514716-1169983236-416932244-839021962 Account Name: 695A225C-8704-45BC-94E1-D9188A750232 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A8BBA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617257Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:44:11 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 695A225C-8704-45BC-94E1-D9188A750232 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617256Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:44:11 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1767514716-1169983236-416932244-839021962 Account Name: 695A225C-8704-45BC-94E1-D9188A750232 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A79A7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617255Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:44:11 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1767514716-1169983236-416932244-839021962 Account Name: 695A225C-8704-45BC-94E1-D9188A750232 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A79A7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617254Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:44:11 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1767514716-1169983236-416932244-839021962 Account Name: 695A225C-8704-45BC-94E1-D9188A750232 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A79A7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617253Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:44:11 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 695A225C-8704-45BC-94E1-D9188A750232 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617252Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:44:11 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1767514716-1169983236-416932244-839021962 Account Name: 695A225C-8704-45BC-94E1-D9188A750232 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A6B50 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617251Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:44:11 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1767514716-1169983236-416932244-839021962 Account Name: 695A225C-8704-45BC-94E1-D9188A750232 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A6C98 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617250Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:44:10 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1767514716-1169983236-416932244-839021962 Account Name: 695A225C-8704-45BC-94E1-D9188A750232 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A6C98 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617249Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:44:10 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 695A225C-8704-45BC-94E1-D9188A750232 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617248Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:44:10 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1767514716-1169983236-416932244-839021962 Account Name: 695A225C-8704-45BC-94E1-D9188A750232 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A6C3F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617247Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:44:10 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1767514716-1169983236-416932244-839021962 Account Name: 695A225C-8704-45BC-94E1-D9188A750232 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A6C3F Privileges: SeImpersonatePrivilege467200125480-921436483760003481617246Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:44:10 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1767514716-1169983236-416932244-839021962 Account Name: 695A225C-8704-45BC-94E1-D9188A750232 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A6C3F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617245Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:44:10 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 695A225C-8704-45BC-94E1-D9188A750232 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617244Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:44:10 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1767514716-1169983236-416932244-839021962 Account Name: 695A225C-8704-45BC-94E1-D9188A750232 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A6BF6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617243Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:44:10 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1767514716-1169983236-416932244-839021962 Account Name: 695A225C-8704-45BC-94E1-D9188A750232 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A6BF6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617242Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:44:10 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1767514716-1169983236-416932244-839021962 Account Name: 695A225C-8704-45BC-94E1-D9188A750232 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A6BF6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617241Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:44:10 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 695A225C-8704-45BC-94E1-D9188A750232 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617240Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:44:10 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1767514716-1169983236-416932244-839021962 Account Name: 695A225C-8704-45BC-94E1-D9188A750232 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A6B50 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617239Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:44:10 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1767514716-1169983236-416932244-839021962 Account Name: 695A225C-8704-45BC-94E1-D9188A750232 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5A6B50 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617238Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:44:10 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 695A225C-8704-45BC-94E1-D9188A750232 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617237Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:44:10 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5A67AE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617236Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:44:07 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5A67AA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617235Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:44:07 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5A67A8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617234Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:44:07 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5A67AE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-858383-10 Source Network Address: 10.222.0.13 Source Port: 59112 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617233Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:44:07 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5A67AE Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617232Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205060n-h1-858383-10.cbci-858383-10.local10/12/2022 9:44:07 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5A67AA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-858383-10 Source Network Address: 10.222.0.13 Source Port: 59111 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617231Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:44:07 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5A67AA Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617230Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:44:07 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5A67A8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-858383-10 Source Network Address: 10.222.0.13 Source Port: 59110 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617229Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:44:07 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5A67A8 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617228Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:44:07 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5A675F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-858383-10 Source Network Address: 10.222.0.13 Source Port: 59109 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617227Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:44:07 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5A675F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617226Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:44:07 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x5A6741 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C30079DC-2A54-3B58-01D5-4EEAC371F87E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 59108 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617225Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:44:06 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5A6741 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617224Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:44:06 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-859286245-1103031958-2560511377-2574307321 Account Name: 3337AAE5-EE96-41BE-914D-9E98F9CF7099 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5984B2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617223Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:43:18 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-859286245-1103031958-2560511377-2574307321 Account Name: 3337AAE5-EE96-41BE-914D-9E98F9CF7099 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x59C44A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617222Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:48 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-859286245-1103031958-2560511377-2574307321 Account Name: 3337AAE5-EE96-41BE-914D-9E98F9CF7099 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x59C44A Privileges: SeImpersonatePrivilege467200125480-921436483760003481617221Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:48 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-859286245-1103031958-2560511377-2574307321 Account Name: 3337AAE5-EE96-41BE-914D-9E98F9CF7099 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x59C44A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617220Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:48 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3337AAE5-EE96-41BE-914D-9E98F9CF7099 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617219Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:48 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-859286245-1103031958-2560511377-2574307321 Account Name: 3337AAE5-EE96-41BE-914D-9E98F9CF7099 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x599270 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617218Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:41 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-859286245-1103031958-2560511377-2574307321 Account Name: 3337AAE5-EE96-41BE-914D-9E98F9CF7099 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x599270 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617217Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:41 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-859286245-1103031958-2560511377-2574307321 Account Name: 3337AAE5-EE96-41BE-914D-9E98F9CF7099 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x599270 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617216Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:41 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3337AAE5-EE96-41BE-914D-9E98F9CF7099 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617215Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:41 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-859286245-1103031958-2560511377-2574307321 Account Name: 3337AAE5-EE96-41BE-914D-9E98F9CF7099 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x59836B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617214Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:41 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-859286245-1103031958-2560511377-2574307321 Account Name: 3337AAE5-EE96-41BE-914D-9E98F9CF7099 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5984B2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617213Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:41 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-859286245-1103031958-2560511377-2574307321 Account Name: 3337AAE5-EE96-41BE-914D-9E98F9CF7099 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5984B2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617212Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:41 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3337AAE5-EE96-41BE-914D-9E98F9CF7099 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617211Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:41 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-859286245-1103031958-2560511377-2574307321 Account Name: 3337AAE5-EE96-41BE-914D-9E98F9CF7099 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x598459 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617210Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:41 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-859286245-1103031958-2560511377-2574307321 Account Name: 3337AAE5-EE96-41BE-914D-9E98F9CF7099 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x598459 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617209Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:41 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-859286245-1103031958-2560511377-2574307321 Account Name: 3337AAE5-EE96-41BE-914D-9E98F9CF7099 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x598459 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617208Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:41 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3337AAE5-EE96-41BE-914D-9E98F9CF7099 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617207Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:41 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-859286245-1103031958-2560511377-2574307321 Account Name: 3337AAE5-EE96-41BE-914D-9E98F9CF7099 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x598410 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617206Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:40 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-859286245-1103031958-2560511377-2574307321 Account Name: 3337AAE5-EE96-41BE-914D-9E98F9CF7099 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x598410 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617205Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:40 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-859286245-1103031958-2560511377-2574307321 Account Name: 3337AAE5-EE96-41BE-914D-9E98F9CF7099 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x598410 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617204Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:40 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3337AAE5-EE96-41BE-914D-9E98F9CF7099 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617203Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:40 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-859286245-1103031958-2560511377-2574307321 Account Name: 3337AAE5-EE96-41BE-914D-9E98F9CF7099 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x59836B Privileges: SeImpersonatePrivilege467200125480-921436483760003481617202Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:40 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-859286245-1103031958-2560511377-2574307321 Account Name: 3337AAE5-EE96-41BE-914D-9E98F9CF7099 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x59836B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617201Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:40 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3337AAE5-EE96-41BE-914D-9E98F9CF7099 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617200Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:40 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x58EA70 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617199Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:33 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1526059776-1219014431-3736420503-1257227204 Account Name: 5AF5D300-AF1F-48A8-9740-B5DEC4C3EF4A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58F06A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617198Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:26 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1526059776-1219014431-3736420503-1257227204 Account Name: 5AF5D300-AF1F-48A8-9740-B5DEC4C3EF4A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5910AE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617197Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:21 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1526059776-1219014431-3736420503-1257227204 Account Name: 5AF5D300-AF1F-48A8-9740-B5DEC4C3EF4A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5910AE Privileges: SeImpersonatePrivilege467200125480-921436483760003481617196Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:21 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1526059776-1219014431-3736420503-1257227204 Account Name: 5AF5D300-AF1F-48A8-9740-B5DEC4C3EF4A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5910AE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617195Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:21 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5AF5D300-AF1F-48A8-9740-B5DEC4C3EF4A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617194Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:21 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1526059776-1219014431-3736420503-1257227204 Account Name: 5AF5D300-AF1F-48A8-9740-B5DEC4C3EF4A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58FD74 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617193Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:21 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1526059776-1219014431-3736420503-1257227204 Account Name: 5AF5D300-AF1F-48A8-9740-B5DEC4C3EF4A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58FD74 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617192Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:21 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1526059776-1219014431-3736420503-1257227204 Account Name: 5AF5D300-AF1F-48A8-9740-B5DEC4C3EF4A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58FD74 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617191Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:21 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5AF5D300-AF1F-48A8-9740-B5DEC4C3EF4A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617190Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:21 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1526059776-1219014431-3736420503-1257227204 Account Name: 5AF5D300-AF1F-48A8-9740-B5DEC4C3EF4A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58EF1E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617189Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:20 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1526059776-1219014431-3736420503-1257227204 Account Name: 5AF5D300-AF1F-48A8-9740-B5DEC4C3EF4A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58F06A Privileges: SeImpersonatePrivilege467200125480-921436483760003481617188Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:20 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1526059776-1219014431-3736420503-1257227204 Account Name: 5AF5D300-AF1F-48A8-9740-B5DEC4C3EF4A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58F06A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617187Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:20 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5AF5D300-AF1F-48A8-9740-B5DEC4C3EF4A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617186Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:20 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1526059776-1219014431-3736420503-1257227204 Account Name: 5AF5D300-AF1F-48A8-9740-B5DEC4C3EF4A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58F011 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617185Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:20 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1526059776-1219014431-3736420503-1257227204 Account Name: 5AF5D300-AF1F-48A8-9740-B5DEC4C3EF4A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58F011 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617184Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:20 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1526059776-1219014431-3736420503-1257227204 Account Name: 5AF5D300-AF1F-48A8-9740-B5DEC4C3EF4A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58F011 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617183Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:20 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5AF5D300-AF1F-48A8-9740-B5DEC4C3EF4A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617182Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:20 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1526059776-1219014431-3736420503-1257227204 Account Name: 5AF5D300-AF1F-48A8-9740-B5DEC4C3EF4A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58EFC8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617181Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:20 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1526059776-1219014431-3736420503-1257227204 Account Name: 5AF5D300-AF1F-48A8-9740-B5DEC4C3EF4A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58EFC8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617180Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:20 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1526059776-1219014431-3736420503-1257227204 Account Name: 5AF5D300-AF1F-48A8-9740-B5DEC4C3EF4A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58EFC8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617179Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:20 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5AF5D300-AF1F-48A8-9740-B5DEC4C3EF4A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617178Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:20 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1526059776-1219014431-3736420503-1257227204 Account Name: 5AF5D300-AF1F-48A8-9740-B5DEC4C3EF4A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58EF1E Privileges: SeImpersonatePrivilege467200125480-921436483760003481617177Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:20 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1526059776-1219014431-3736420503-1257227204 Account Name: 5AF5D300-AF1F-48A8-9740-B5DEC4C3EF4A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x58EF1E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617176Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:20 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5AF5D300-AF1F-48A8-9740-B5DEC4C3EF4A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617175Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:20 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x58D52E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617174Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:19 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x58EAC2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617173Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:17 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x58EAC9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617172Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:17 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x58EAC4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617171Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:17 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x58EAC9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-858383-10 Source Network Address: 10.222.0.13 Source Port: 59082 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617170Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x58EAC9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617169Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x58EAC4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-858383-10 Source Network Address: 10.222.0.13 Source Port: 59081 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617168Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x58EAC4 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617167Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x58EAC2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-858383-10 Source Network Address: 10.222.0.13 Source Port: 59080 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617166Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x58EAC2 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617165Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x58EA70 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-858383-10 Source Network Address: 10.222.0.13 Source Port: 59079 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617164Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x58EA70 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617163Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x58D52E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C30079DC-2A54-3B58-01D5-4EEAC371F87E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 59075 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617162Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x58D52E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617161Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:42:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3696810284-1341743014-109417127-2200306275 Account Name: DC58D92C-5FA6-4FF9-A792-850663022683 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57752D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617160Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:40:33 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x58195D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617159Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:40:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x58195D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C30079DC-2A54-3B58-01D5-4EEAC371F87E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 59054 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617158Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:40:04 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x58195D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617157Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:40:04 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3696810284-1341743014-109417127-2200306275 Account Name: DC58D92C-5FA6-4FF9-A792-850663022683 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57C8E4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617156Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:38:46 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3696810284-1341743014-109417127-2200306275 Account Name: DC58D92C-5FA6-4FF9-A792-850663022683 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57C8E4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617155Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:38:46 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3696810284-1341743014-109417127-2200306275 Account Name: DC58D92C-5FA6-4FF9-A792-850663022683 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57C8E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617154Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:38:46 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DC58D92C-5FA6-4FF9-A792-850663022683 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617153Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:38:46 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3696810284-1341743014-109417127-2200306275 Account Name: DC58D92C-5FA6-4FF9-A792-850663022683 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5795E9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617152Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:38:41 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3696810284-1341743014-109417127-2200306275 Account Name: DC58D92C-5FA6-4FF9-A792-850663022683 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5795E9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617151Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:38:41 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3696810284-1341743014-109417127-2200306275 Account Name: DC58D92C-5FA6-4FF9-A792-850663022683 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5795E9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617150Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:38:41 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DC58D92C-5FA6-4FF9-A792-850663022683 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617149Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:38:41 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3696810284-1341743014-109417127-2200306275 Account Name: DC58D92C-5FA6-4FF9-A792-850663022683 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5773D2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617148Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:38:36 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3696810284-1341743014-109417127-2200306275 Account Name: DC58D92C-5FA6-4FF9-A792-850663022683 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57752D Privileges: SeImpersonatePrivilege467200125480-921436483760003481617147Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:38:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3696810284-1341743014-109417127-2200306275 Account Name: DC58D92C-5FA6-4FF9-A792-850663022683 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57752D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617146Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:38:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DC58D92C-5FA6-4FF9-A792-850663022683 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617145Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:38:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3696810284-1341743014-109417127-2200306275 Account Name: DC58D92C-5FA6-4FF9-A792-850663022683 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5774D4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617144Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:38:35 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3696810284-1341743014-109417127-2200306275 Account Name: DC58D92C-5FA6-4FF9-A792-850663022683 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5774D4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617143Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:38:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3696810284-1341743014-109417127-2200306275 Account Name: DC58D92C-5FA6-4FF9-A792-850663022683 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5774D4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617142Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:38:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DC58D92C-5FA6-4FF9-A792-850663022683 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617141Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:38:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3696810284-1341743014-109417127-2200306275 Account Name: DC58D92C-5FA6-4FF9-A792-850663022683 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57748A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617140Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:38:35 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3696810284-1341743014-109417127-2200306275 Account Name: DC58D92C-5FA6-4FF9-A792-850663022683 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57748A Privileges: SeImpersonatePrivilege467200125480-921436483760003481617139Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:38:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3696810284-1341743014-109417127-2200306275 Account Name: DC58D92C-5FA6-4FF9-A792-850663022683 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x57748A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617138Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:38:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DC58D92C-5FA6-4FF9-A792-850663022683 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617137Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:38:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3696810284-1341743014-109417127-2200306275 Account Name: DC58D92C-5FA6-4FF9-A792-850663022683 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5773D2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617136Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:38:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3696810284-1341743014-109417127-2200306275 Account Name: DC58D92C-5FA6-4FF9-A792-850663022683 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5773D2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617135Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:38:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DC58D92C-5FA6-4FF9-A792-850663022683 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617134Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:38:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5747C4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617133Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:38:13 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x5747C4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C30079DC-2A54-3B58-01D5-4EEAC371F87E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 59042 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617132Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:38:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5747C4 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617131Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:38:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x56E517 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617130Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:36:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x56E517 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C30079DC-2A54-3B58-01D5-4EEAC371F87E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 59023 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617129Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:36:02 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x56E517 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617128Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:36:02 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x56854E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617127Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:34:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x56854E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C30079DC-2A54-3B58-01D5-4EEAC371F87E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 59016 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617126Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:34:01 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x56854E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617125Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:34:01 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x556B5E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617124Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:33:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3840780558-1229156806-483686807-898283378 Account Name: E4EDA90E-71C6-4943-9779-D41C72B78A35 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55A78C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617123Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:33:12 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3840780558-1229156806-483686807-898283378 Account Name: E4EDA90E-71C6-4943-9779-D41C72B78A35 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x560AA0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617122Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:33:09 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3840780558-1229156806-483686807-898283378 Account Name: E4EDA90E-71C6-4943-9779-D41C72B78A35 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x560AA0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617121Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:33:09 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3840780558-1229156806-483686807-898283378 Account Name: E4EDA90E-71C6-4943-9779-D41C72B78A35 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x560AA0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617120Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:33:09 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E4EDA90E-71C6-4943-9779-D41C72B78A35 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617119Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:33:09 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3840780558-1229156806-483686807-898283378 Account Name: E4EDA90E-71C6-4943-9779-D41C72B78A35 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55D87B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617118Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:33:05 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3840780558-1229156806-483686807-898283378 Account Name: E4EDA90E-71C6-4943-9779-D41C72B78A35 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55D87B Privileges: SeImpersonatePrivilege467200125480-921436483760003481617117Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:33:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3840780558-1229156806-483686807-898283378 Account Name: E4EDA90E-71C6-4943-9779-D41C72B78A35 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55D87B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617116Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:33:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E4EDA90E-71C6-4943-9779-D41C72B78A35 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617115Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:33:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3840780558-1229156806-483686807-898283378 Account Name: E4EDA90E-71C6-4943-9779-D41C72B78A35 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55A62F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617114Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:32:59 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3840780558-1229156806-483686807-898283378 Account Name: E4EDA90E-71C6-4943-9779-D41C72B78A35 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55A78C Privileges: SeImpersonatePrivilege467200125480-921436483760003481617113Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:32:59 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3840780558-1229156806-483686807-898283378 Account Name: E4EDA90E-71C6-4943-9779-D41C72B78A35 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55A78C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617112Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:32:59 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E4EDA90E-71C6-4943-9779-D41C72B78A35 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617111Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:32:59 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3840780558-1229156806-483686807-898283378 Account Name: E4EDA90E-71C6-4943-9779-D41C72B78A35 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55A733 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617110Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:32:59 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3840780558-1229156806-483686807-898283378 Account Name: E4EDA90E-71C6-4943-9779-D41C72B78A35 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55A733 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617109Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:32:59 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3840780558-1229156806-483686807-898283378 Account Name: E4EDA90E-71C6-4943-9779-D41C72B78A35 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55A733 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617108Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:32:59 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E4EDA90E-71C6-4943-9779-D41C72B78A35 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617107Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:32:59 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3840780558-1229156806-483686807-898283378 Account Name: E4EDA90E-71C6-4943-9779-D41C72B78A35 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55A6E9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617106Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:32:59 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3840780558-1229156806-483686807-898283378 Account Name: E4EDA90E-71C6-4943-9779-D41C72B78A35 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55A6E9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617105Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:32:59 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3840780558-1229156806-483686807-898283378 Account Name: E4EDA90E-71C6-4943-9779-D41C72B78A35 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55A6E9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617104Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:32:59 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E4EDA90E-71C6-4943-9779-D41C72B78A35 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617103Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:32:59 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3840780558-1229156806-483686807-898283378 Account Name: E4EDA90E-71C6-4943-9779-D41C72B78A35 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55A62F Privileges: SeImpersonatePrivilege467200125480-921436483760003481617102Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:32:59 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3840780558-1229156806-483686807-898283378 Account Name: E4EDA90E-71C6-4943-9779-D41C72B78A35 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x55A62F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617101Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:32:59 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E4EDA90E-71C6-4943-9779-D41C72B78A35 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617100Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:32:59 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x556B5E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C30079DC-2A54-3B58-01D5-4EEAC371F87E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58985 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617099Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:32:00 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x556B5E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617098Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:32:00 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5516B2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617097Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:30:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x5516B2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C30079DC-2A54-3B58-01D5-4EEAC371F87E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58933 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617096Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:29:59 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x5516B2 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617095Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:29:59 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x53DD9C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617094Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:28:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-306900179-1213176751-2667921081-4256907870 Account Name: 124AECD3-9BAF-484F-B93E-059F5E42BBFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53E03D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617093Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:28:38 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3231487597-1303429418-1570428057-2587045924 Account Name: C09C966D-C12A-4DB0-99D4-9A5D2430339A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5344C1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617092Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:28:07 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-306900179-1213176751-2667921081-4256907870 Account Name: 124AECD3-9BAF-484F-B93E-059F5E42BBFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x544AF8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617091Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:28:07 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-306900179-1213176751-2667921081-4256907870 Account Name: 124AECD3-9BAF-484F-B93E-059F5E42BBFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x544AF8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617090Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:28:07 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-306900179-1213176751-2667921081-4256907870 Account Name: 124AECD3-9BAF-484F-B93E-059F5E42BBFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x544AF8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617089Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:28:07 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 124AECD3-9BAF-484F-B93E-059F5E42BBFD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617088Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:28:07 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-306900179-1213176751-2667921081-4256907870 Account Name: 124AECD3-9BAF-484F-B93E-059F5E42BBFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53EE6F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617087Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:28:00 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-306900179-1213176751-2667921081-4256907870 Account Name: 124AECD3-9BAF-484F-B93E-059F5E42BBFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53EE6F Privileges: SeImpersonatePrivilege467200125480-921436483760003481617086Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:28:00 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-306900179-1213176751-2667921081-4256907870 Account Name: 124AECD3-9BAF-484F-B93E-059F5E42BBFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53EE6F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617085Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:28:00 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 124AECD3-9BAF-484F-B93E-059F5E42BBFD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617084Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:28:00 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-306900179-1213176751-2667921081-4256907870 Account Name: 124AECD3-9BAF-484F-B93E-059F5E42BBFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53DEF6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617083Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:27:59 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-306900179-1213176751-2667921081-4256907870 Account Name: 124AECD3-9BAF-484F-B93E-059F5E42BBFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53E03D Privileges: SeImpersonatePrivilege467200125480-921436483760003481617082Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:27:59 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-306900179-1213176751-2667921081-4256907870 Account Name: 124AECD3-9BAF-484F-B93E-059F5E42BBFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53E03D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617081Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:27:59 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 124AECD3-9BAF-484F-B93E-059F5E42BBFD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617080Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:27:59 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-306900179-1213176751-2667921081-4256907870 Account Name: 124AECD3-9BAF-484F-B93E-059F5E42BBFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53DFE4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617079Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:27:59 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-306900179-1213176751-2667921081-4256907870 Account Name: 124AECD3-9BAF-484F-B93E-059F5E42BBFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53DFE4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617078Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:27:59 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-306900179-1213176751-2667921081-4256907870 Account Name: 124AECD3-9BAF-484F-B93E-059F5E42BBFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53DFE4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617077Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:27:59 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 124AECD3-9BAF-484F-B93E-059F5E42BBFD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617076Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:27:59 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-306900179-1213176751-2667921081-4256907870 Account Name: 124AECD3-9BAF-484F-B93E-059F5E42BBFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53DF9B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617075Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:27:59 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-306900179-1213176751-2667921081-4256907870 Account Name: 124AECD3-9BAF-484F-B93E-059F5E42BBFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53DF9B Privileges: SeImpersonatePrivilege467200125480-921436483760003481617074Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:27:59 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-306900179-1213176751-2667921081-4256907870 Account Name: 124AECD3-9BAF-484F-B93E-059F5E42BBFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53DF9B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617073Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:27:59 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 124AECD3-9BAF-484F-B93E-059F5E42BBFD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617072Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:27:59 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-306900179-1213176751-2667921081-4256907870 Account Name: 124AECD3-9BAF-484F-B93E-059F5E42BBFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53DEF6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617071Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:27:59 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-306900179-1213176751-2667921081-4256907870 Account Name: 124AECD3-9BAF-484F-B93E-059F5E42BBFD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53DEF6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617070Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:27:59 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 124AECD3-9BAF-484F-B93E-059F5E42BBFD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617069Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:27:59 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x53DD9C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C30079DC-2A54-3B58-01D5-4EEAC371F87E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58913 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617068Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:27:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x53DD9C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617067Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:27:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x524C97 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617066Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:27:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3231487597-1303429418-1570428057-2587045924 Account Name: C09C966D-C12A-4DB0-99D4-9A5D2430339A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5399E2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617065Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:27:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3231487597-1303429418-1570428057-2587045924 Account Name: C09C966D-C12A-4DB0-99D4-9A5D2430339A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5399E2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617064Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:27:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3231487597-1303429418-1570428057-2587045924 Account Name: C09C966D-C12A-4DB0-99D4-9A5D2430339A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5399E2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617063Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:27:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C09C966D-C12A-4DB0-99D4-9A5D2430339A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617062Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:27:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3231487597-1303429418-1570428057-2587045924 Account Name: C09C966D-C12A-4DB0-99D4-9A5D2430339A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5365FC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617061Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:27:17 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3231487597-1303429418-1570428057-2587045924 Account Name: C09C966D-C12A-4DB0-99D4-9A5D2430339A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5365FC Privileges: SeImpersonatePrivilege467200125480-921436483760003481617060Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:27:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3231487597-1303429418-1570428057-2587045924 Account Name: C09C966D-C12A-4DB0-99D4-9A5D2430339A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5365FC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617059Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:27:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C09C966D-C12A-4DB0-99D4-9A5D2430339A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617058Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:27:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3231487597-1303429418-1570428057-2587045924 Account Name: C09C966D-C12A-4DB0-99D4-9A5D2430339A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x534366 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617057Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:27:11 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3231487597-1303429418-1570428057-2587045924 Account Name: C09C966D-C12A-4DB0-99D4-9A5D2430339A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5344C1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617056Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:27:11 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3231487597-1303429418-1570428057-2587045924 Account Name: C09C966D-C12A-4DB0-99D4-9A5D2430339A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5344C1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617055Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:27:11 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C09C966D-C12A-4DB0-99D4-9A5D2430339A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617054Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:27:11 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3231487597-1303429418-1570428057-2587045924 Account Name: C09C966D-C12A-4DB0-99D4-9A5D2430339A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x534468 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617053Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:27:11 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3231487597-1303429418-1570428057-2587045924 Account Name: C09C966D-C12A-4DB0-99D4-9A5D2430339A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x534468 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617052Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:27:11 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3231487597-1303429418-1570428057-2587045924 Account Name: C09C966D-C12A-4DB0-99D4-9A5D2430339A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x534468 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617051Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:27:11 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C09C966D-C12A-4DB0-99D4-9A5D2430339A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617050Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:27:11 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3231487597-1303429418-1570428057-2587045924 Account Name: C09C966D-C12A-4DB0-99D4-9A5D2430339A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53441E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617049Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:27:11 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3231487597-1303429418-1570428057-2587045924 Account Name: C09C966D-C12A-4DB0-99D4-9A5D2430339A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53441E Privileges: SeImpersonatePrivilege467200125480-921436483760003481617048Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:27:11 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3231487597-1303429418-1570428057-2587045924 Account Name: C09C966D-C12A-4DB0-99D4-9A5D2430339A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x53441E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617047Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:27:11 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C09C966D-C12A-4DB0-99D4-9A5D2430339A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617046Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:27:11 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3231487597-1303429418-1570428057-2587045924 Account Name: C09C966D-C12A-4DB0-99D4-9A5D2430339A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x534366 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617045Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:27:11 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3231487597-1303429418-1570428057-2587045924 Account Name: C09C966D-C12A-4DB0-99D4-9A5D2430339A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x534366 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617044Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:27:11 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C09C966D-C12A-4DB0-99D4-9A5D2430339A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617043Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:27:11 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2681508148-1216523623-1510411160-1604938443 Account Name: 9FD49134-AD67-4882-980B-075ACB6AA95F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x52763E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617042Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:26:42 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2681508148-1216523623-1510411160-1604938443 Account Name: 9FD49134-AD67-4882-980B-075ACB6AA95F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x529E12 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617041Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:26:00 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2681508148-1216523623-1510411160-1604938443 Account Name: 9FD49134-AD67-4882-980B-075ACB6AA95F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x529E12 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617040Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:26:00 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2681508148-1216523623-1510411160-1604938443 Account Name: 9FD49134-AD67-4882-980B-075ACB6AA95F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x529E12 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617039Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:26:00 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9FD49134-AD67-4882-980B-075ACB6AA95F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617038Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:26:00 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2681508148-1216523623-1510411160-1604938443 Account Name: 9FD49134-AD67-4882-980B-075ACB6AA95F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x52832D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617037Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:25:59 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2681508148-1216523623-1510411160-1604938443 Account Name: 9FD49134-AD67-4882-980B-075ACB6AA95F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x52832D Privileges: SeImpersonatePrivilege467200125480-921436483760003481617036Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:25:59 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2681508148-1216523623-1510411160-1604938443 Account Name: 9FD49134-AD67-4882-980B-075ACB6AA95F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x52832D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617035Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:25:59 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9FD49134-AD67-4882-980B-075ACB6AA95F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617034Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:25:59 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2681508148-1216523623-1510411160-1604938443 Account Name: 9FD49134-AD67-4882-980B-075ACB6AA95F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x527335 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617033Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:25:59 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2681508148-1216523623-1510411160-1604938443 Account Name: 9FD49134-AD67-4882-980B-075ACB6AA95F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x52763E Privileges: SeImpersonatePrivilege467200125480-921436483760003481617032Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:25:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2681508148-1216523623-1510411160-1604938443 Account Name: 9FD49134-AD67-4882-980B-075ACB6AA95F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x52763E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617031Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:25:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9FD49134-AD67-4882-980B-075ACB6AA95F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617030Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:25:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2681508148-1216523623-1510411160-1604938443 Account Name: 9FD49134-AD67-4882-980B-075ACB6AA95F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5275E5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617029Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:25:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2681508148-1216523623-1510411160-1604938443 Account Name: 9FD49134-AD67-4882-980B-075ACB6AA95F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5275E5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617028Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:25:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2681508148-1216523623-1510411160-1604938443 Account Name: 9FD49134-AD67-4882-980B-075ACB6AA95F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5275E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617027Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:25:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9FD49134-AD67-4882-980B-075ACB6AA95F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617026Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:25:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2681508148-1216523623-1510411160-1604938443 Account Name: 9FD49134-AD67-4882-980B-075ACB6AA95F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x527484 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617025Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:25:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2681508148-1216523623-1510411160-1604938443 Account Name: 9FD49134-AD67-4882-980B-075ACB6AA95F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x527484 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617024Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:25:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2681508148-1216523623-1510411160-1604938443 Account Name: 9FD49134-AD67-4882-980B-075ACB6AA95F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x527484 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617023Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:25:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9FD49134-AD67-4882-980B-075ACB6AA95F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617022Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:25:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2681508148-1216523623-1510411160-1604938443 Account Name: 9FD49134-AD67-4882-980B-075ACB6AA95F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x527335 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617021Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:25:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2681508148-1216523623-1510411160-1604938443 Account Name: 9FD49134-AD67-4882-980B-075ACB6AA95F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x527335 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617020Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:25:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9FD49134-AD67-4882-980B-075ACB6AA95F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617019Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:25:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3827331443-1079367732-3053566640-830610350 Account Name: E4207173-D834-4055-B0BA-01B6AE1B8231 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51A95F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617018Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:25:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x524C97 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C30079DC-2A54-3B58-01D5-4EEAC371F87E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58898 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617017Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:25:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x524C97 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481617016Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:25:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x50C5D8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617015Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:25:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x50C5C3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617014Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:25:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x50C5AC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617013Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:25:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x50C59B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617012Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:25:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x50C6AA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617011Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:25:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x50C60F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617010Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:25:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3827331443-1079367732-3053566640-830610350 Account Name: E4207173-D834-4055-B0BA-01B6AE1B8231 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51E7E4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617009Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:25:01 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3827331443-1079367732-3053566640-830610350 Account Name: E4207173-D834-4055-B0BA-01B6AE1B8231 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51E7E4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481617008Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:25:01 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3827331443-1079367732-3053566640-830610350 Account Name: E4207173-D834-4055-B0BA-01B6AE1B8231 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51E7E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617007Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:25:01 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E4207173-D834-4055-B0BA-01B6AE1B8231 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617006Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:25:01 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3827331443-1079367732-3053566640-830610350 Account Name: E4207173-D834-4055-B0BA-01B6AE1B8231 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51B73C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617005Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:56 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3827331443-1079367732-3053566640-830610350 Account Name: E4207173-D834-4055-B0BA-01B6AE1B8231 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51B73C Privileges: SeImpersonatePrivilege467200125480-921436483760003481617004Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3827331443-1079367732-3053566640-830610350 Account Name: E4207173-D834-4055-B0BA-01B6AE1B8231 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51B73C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481617003Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E4207173-D834-4055-B0BA-01B6AE1B8231 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481617002Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3827331443-1079367732-3053566640-830610350 Account Name: E4207173-D834-4055-B0BA-01B6AE1B8231 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51A818 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481617001Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:56 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3827331443-1079367732-3053566640-830610350 Account Name: E4207173-D834-4055-B0BA-01B6AE1B8231 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51A95F Privileges: SeImpersonatePrivilege467200125480-921436483760003481617000Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3827331443-1079367732-3053566640-830610350 Account Name: E4207173-D834-4055-B0BA-01B6AE1B8231 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51A95F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616999Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E4207173-D834-4055-B0BA-01B6AE1B8231 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616998Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3827331443-1079367732-3053566640-830610350 Account Name: E4207173-D834-4055-B0BA-01B6AE1B8231 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51A906 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616997Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:56 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3827331443-1079367732-3053566640-830610350 Account Name: E4207173-D834-4055-B0BA-01B6AE1B8231 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51A906 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616996Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3827331443-1079367732-3053566640-830610350 Account Name: E4207173-D834-4055-B0BA-01B6AE1B8231 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51A906 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616995Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E4207173-D834-4055-B0BA-01B6AE1B8231 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616994Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3827331443-1079367732-3053566640-830610350 Account Name: E4207173-D834-4055-B0BA-01B6AE1B8231 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51A8BD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616993Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:56 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3827331443-1079367732-3053566640-830610350 Account Name: E4207173-D834-4055-B0BA-01B6AE1B8231 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51A8BD Privileges: SeImpersonatePrivilege467200125480-921436483760003481616992Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3827331443-1079367732-3053566640-830610350 Account Name: E4207173-D834-4055-B0BA-01B6AE1B8231 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51A8BD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616991Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E4207173-D834-4055-B0BA-01B6AE1B8231 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616990Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3827331443-1079367732-3053566640-830610350 Account Name: E4207173-D834-4055-B0BA-01B6AE1B8231 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51A818 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616989Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3827331443-1079367732-3053566640-830610350 Account Name: E4207173-D834-4055-B0BA-01B6AE1B8231 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x51A818 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616988Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E4207173-D834-4055-B0BA-01B6AE1B8231 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616987Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-1105 Account Name: N-H2-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x50D911 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616986Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:30 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x50C4E7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616985Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:30 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3555847605-1161512434-689408128-2496283756 Account Name: D3F1EDB5-45F2-453B-8088-17296C44CA94 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5159DD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616984Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:27 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3555847605-1161512434-689408128-2496283756 Account Name: D3F1EDB5-45F2-453B-8088-17296C44CA94 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50C8B8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616983Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:27 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-1105 Account Name: N-H2-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x50D0F6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616982Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x50C569 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616981Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x507D88 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616980Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x50C889 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616979Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:18 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3555847605-1161512434-689408128-2496283756 Account Name: D3F1EDB5-45F2-453B-8088-17296C44CA94 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5159DD Privileges: SeImpersonatePrivilege467200125480-921436483760003481616978Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:18 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3555847605-1161512434-689408128-2496283756 Account Name: D3F1EDB5-45F2-453B-8088-17296C44CA94 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5159DD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616977Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:18 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D3F1EDB5-45F2-453B-8088-17296C44CA94 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616976Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:18 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x51156A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616975Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:15 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x51156A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {63886D5B-BECD-841C-342D-B8E3139D0C00} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616974Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x51156A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616973Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3555847605-1161512434-689408128-2496283756 Account Name: D3F1EDB5-45F2-453B-8088-17296C44CA94 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x510FFB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616972Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:15 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3555847605-1161512434-689408128-2496283756 Account Name: D3F1EDB5-45F2-453B-8088-17296C44CA94 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x510FFB Privileges: SeImpersonatePrivilege467200125480-921436483760003481616971Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3555847605-1161512434-689408128-2496283756 Account Name: D3F1EDB5-45F2-453B-8088-17296C44CA94 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x510FFB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616970Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D3F1EDB5-45F2-453B-8088-17296C44CA94 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616969Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3555847605-1161512434-689408128-2496283756 Account Name: D3F1EDB5-45F2-453B-8088-17296C44CA94 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x510B57 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616968Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:15 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3555847605-1161512434-689408128-2496283756 Account Name: D3F1EDB5-45F2-453B-8088-17296C44CA94 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x510B57 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616967Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3555847605-1161512434-689408128-2496283756 Account Name: D3F1EDB5-45F2-453B-8088-17296C44CA94 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x510B57 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616966Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D3F1EDB5-45F2-453B-8088-17296C44CA94 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616965Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616964Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616963Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-1105 Account Name: N-H2-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x50DA46 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616962Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-1105 Account Name: N-H2-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x50DA73 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616961Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-1105 Account Name: N-H2-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x50DA5E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616960Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-1105 Account Name: N-H2-858383-10$ Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x50DA73 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CB59ED8C-1B10-B38E-B887-CF580A1FECD8} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58860 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616959Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-1105 Account Name: N-H2-858383-10$ Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x50DA5E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CB59ED8C-1B10-B38E-B887-CF580A1FECD8} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58859 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616958Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-1105 Account Name: N-H2-858383-10$ Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x50DA46 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CB59ED8C-1B10-B38E-B887-CF580A1FECD8} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58858 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616957Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-1105 Account Name: N-H2-858383-10$ Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x50D911 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {CB59ED8C-1B10-B38E-B887-CF580A1FECD8} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58857 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616956Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-1105 Account Name: N-H2-858383-10$ Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x50D0F6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {5D7FE032-5CE5-3A74-7470-F040B7C89083} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58857 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616955Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-1105 Account Name: N-H2-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x50C976 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616954Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-1105 Account Name: N-H2-858383-10$ Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x50C976 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {051DB01F-0AE4-7296-C09D-0610885608B6} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616953Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3555847605-1161512434-689408128-2496283756 Account Name: D3F1EDB5-45F2-453B-8088-17296C44CA94 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50C90E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616952Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3555847605-1161512434-689408128-2496283756 Account Name: D3F1EDB5-45F2-453B-8088-17296C44CA94 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50C90E Privileges: SeImpersonatePrivilege467200125480-921436483760003481616951Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3555847605-1161512434-689408128-2496283756 Account Name: D3F1EDB5-45F2-453B-8088-17296C44CA94 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50C90E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616950Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D3F1EDB5-45F2-453B-8088-17296C44CA94 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616949Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3555847605-1161512434-689408128-2496283756 Account Name: D3F1EDB5-45F2-453B-8088-17296C44CA94 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50C8B8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616948Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:13 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3555847605-1161512434-689408128-2496283756 Account Name: D3F1EDB5-45F2-453B-8088-17296C44CA94 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x50C8B8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616947Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:13 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D3F1EDB5-45F2-453B-8088-17296C44CA94 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616946Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:13 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x50C889 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {63886D5B-BECD-841C-342D-B8E3139D0C00} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616945Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:13 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x50C889 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616944Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:13 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x50C6AA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58863 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616943Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:13 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x50C6AA Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616942Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:13 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x50C60F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58863 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616941Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:13 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x50C60F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616940Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:13 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x50C5D8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58862 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616939Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:13 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x50C5D8 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616938Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:13 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x50C5C3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58862 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616937Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:13 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x50C5C3 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616936Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:13 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x50C5AC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58862 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616935Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:13 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x50C5AC Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616934Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:13 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x50C59B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58862 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616933Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:13 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x50C59B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616932Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:13 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x50C569 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58853 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616931Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:13 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x50C569 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616930Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:13 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x50C53B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616929Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:13 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x50C51F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616928Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:13 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x50C51A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616927Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:13 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x50C53B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {09690AB9-87DA-CB73-BD5E-2935EA1F4C7A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58860 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616926Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:13 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x50C53B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616925Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:13 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x50C51F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {09690AB9-87DA-CB73-BD5E-2935EA1F4C7A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58859 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616924Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:13 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x50C51A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {09690AB9-87DA-CB73-BD5E-2935EA1F4C7A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58858 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616923Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:13 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x50C51F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616922Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:13 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x50C51A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616921Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:13 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x50C4E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {09690AB9-87DA-CB73-BD5E-2935EA1F4C7A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58857 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616920Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:13 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x50C4E7 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616919Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:13 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3296920419-1131476541-3067133096-1404975080 Account Name: C4830363-F63D-4370-A8BC-D0B6E837BE53 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CA11B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616918Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:24:09 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x507D88 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C30079DC-2A54-3B58-01D5-4EEAC371F87E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58853 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616917Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:23:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x507D88 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616916Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:23:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3490841703-1193700542-3835666067-1626902932 Account Name: D0120467-6CBE-4726-939E-9FE49491F860 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4FBD63 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616915Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:23:37 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3490841703-1193700542-3835666067-1626902932 Account Name: D0120467-6CBE-4726-939E-9FE49491F860 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4FFF09 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616914Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:23:15 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3490841703-1193700542-3835666067-1626902932 Account Name: D0120467-6CBE-4726-939E-9FE49491F860 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4FFF09 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616913Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:23:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3490841703-1193700542-3835666067-1626902932 Account Name: D0120467-6CBE-4726-939E-9FE49491F860 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4FFF09 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616912Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:23:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D0120467-6CBE-4726-939E-9FE49491F860 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616911Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:23:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3490841703-1193700542-3835666067-1626902932 Account Name: D0120467-6CBE-4726-939E-9FE49491F860 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4FCB10 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616910Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:23:10 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3490841703-1193700542-3835666067-1626902932 Account Name: D0120467-6CBE-4726-939E-9FE49491F860 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4FCB10 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616909Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:23:10 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3490841703-1193700542-3835666067-1626902932 Account Name: D0120467-6CBE-4726-939E-9FE49491F860 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4FCB10 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616908Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:23:10 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D0120467-6CBE-4726-939E-9FE49491F860 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616907Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:23:10 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3490841703-1193700542-3835666067-1626902932 Account Name: D0120467-6CBE-4726-939E-9FE49491F860 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4FBC1B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616906Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:23:10 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3490841703-1193700542-3835666067-1626902932 Account Name: D0120467-6CBE-4726-939E-9FE49491F860 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4FBD63 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616905Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:23:10 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3490841703-1193700542-3835666067-1626902932 Account Name: D0120467-6CBE-4726-939E-9FE49491F860 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4FBD63 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616904Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:23:10 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D0120467-6CBE-4726-939E-9FE49491F860 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616903Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:23:10 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3490841703-1193700542-3835666067-1626902932 Account Name: D0120467-6CBE-4726-939E-9FE49491F860 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4FBD0A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616902Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:23:10 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3490841703-1193700542-3835666067-1626902932 Account Name: D0120467-6CBE-4726-939E-9FE49491F860 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4FBD0A Privileges: SeImpersonatePrivilege467200125480-921436483760003481616901Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:23:10 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3490841703-1193700542-3835666067-1626902932 Account Name: D0120467-6CBE-4726-939E-9FE49491F860 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4FBD0A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616900Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:23:10 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D0120467-6CBE-4726-939E-9FE49491F860 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616899Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:23:10 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3490841703-1193700542-3835666067-1626902932 Account Name: D0120467-6CBE-4726-939E-9FE49491F860 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4FBCC1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616898Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:23:10 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3490841703-1193700542-3835666067-1626902932 Account Name: D0120467-6CBE-4726-939E-9FE49491F860 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4FBCC1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616897Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:23:10 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3490841703-1193700542-3835666067-1626902932 Account Name: D0120467-6CBE-4726-939E-9FE49491F860 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4FBCC1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616896Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:23:10 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D0120467-6CBE-4726-939E-9FE49491F860 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616895Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:23:10 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3490841703-1193700542-3835666067-1626902932 Account Name: D0120467-6CBE-4726-939E-9FE49491F860 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4FBC1B Privileges: SeImpersonatePrivilege467200125480-921436483760003481616894Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:23:10 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3490841703-1193700542-3835666067-1626902932 Account Name: D0120467-6CBE-4726-939E-9FE49491F860 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4FBC1B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616893Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:23:10 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D0120467-6CBE-4726-939E-9FE49491F860 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616892Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:23:10 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-612361805-1124405351-4110535095-2177345808 Account Name: 247FE64D-1067-4305-B7C9-01F510A9C781 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DF6A5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616891Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:22:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x4E92CC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616890Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:22:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x4E955A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616889Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:22:16 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2037520749-1100019498-1121550006-2993808568 Account Name: 7972196D-F72A-4190-B67E-D942B8E471B2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E9B28 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616888Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:22:10 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2037520749-1100019498-1121550006-2993808568 Account Name: 7972196D-F72A-4190-B67E-D942B8E471B2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4EBB18 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616887Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:22:06 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2037520749-1100019498-1121550006-2993808568 Account Name: 7972196D-F72A-4190-B67E-D942B8E471B2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4EBB18 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616886Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:22:06 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2037520749-1100019498-1121550006-2993808568 Account Name: 7972196D-F72A-4190-B67E-D942B8E471B2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4EBB18 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616885Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:22:06 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7972196D-F72A-4190-B67E-D942B8E471B2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616884Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:22:06 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2037520749-1100019498-1121550006-2993808568 Account Name: 7972196D-F72A-4190-B67E-D942B8E471B2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4EA89E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616883Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:22:05 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2037520749-1100019498-1121550006-2993808568 Account Name: 7972196D-F72A-4190-B67E-D942B8E471B2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4EA89E Privileges: SeImpersonatePrivilege467200125480-921436483760003481616882Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:22:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2037520749-1100019498-1121550006-2993808568 Account Name: 7972196D-F72A-4190-B67E-D942B8E471B2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4EA89E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616881Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:22:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7972196D-F72A-4190-B67E-D942B8E471B2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616880Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:22:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2037520749-1100019498-1121550006-2993808568 Account Name: 7972196D-F72A-4190-B67E-D942B8E471B2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E99DD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616879Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:22:05 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2037520749-1100019498-1121550006-2993808568 Account Name: 7972196D-F72A-4190-B67E-D942B8E471B2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E9B28 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616878Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:22:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2037520749-1100019498-1121550006-2993808568 Account Name: 7972196D-F72A-4190-B67E-D942B8E471B2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E9B28 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616877Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:22:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7972196D-F72A-4190-B67E-D942B8E471B2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616876Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:22:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2037520749-1100019498-1121550006-2993808568 Account Name: 7972196D-F72A-4190-B67E-D942B8E471B2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E9ACF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616875Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:22:05 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2037520749-1100019498-1121550006-2993808568 Account Name: 7972196D-F72A-4190-B67E-D942B8E471B2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E9ACF Privileges: SeImpersonatePrivilege467200125480-921436483760003481616874Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:22:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2037520749-1100019498-1121550006-2993808568 Account Name: 7972196D-F72A-4190-B67E-D942B8E471B2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E9ACF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616873Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:22:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7972196D-F72A-4190-B67E-D942B8E471B2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616872Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:22:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2037520749-1100019498-1121550006-2993808568 Account Name: 7972196D-F72A-4190-B67E-D942B8E471B2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E9A86 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616871Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:22:05 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2037520749-1100019498-1121550006-2993808568 Account Name: 7972196D-F72A-4190-B67E-D942B8E471B2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E9A86 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616870Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:22:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2037520749-1100019498-1121550006-2993808568 Account Name: 7972196D-F72A-4190-B67E-D942B8E471B2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E9A86 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616869Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:22:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7972196D-F72A-4190-B67E-D942B8E471B2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616868Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:22:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2037520749-1100019498-1121550006-2993808568 Account Name: 7972196D-F72A-4190-B67E-D942B8E471B2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E99DD Privileges: SeImpersonatePrivilege467200125480-921436483760003481616867Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:22:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2037520749-1100019498-1121550006-2993808568 Account Name: 7972196D-F72A-4190-B67E-D942B8E471B2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E99DD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616866Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:22:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7972196D-F72A-4190-B67E-D942B8E471B2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616865Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:22:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x4E963B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616864Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:22:00 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x4E963E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616863Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:22:00 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x4E9638 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616862Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:22:00 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x4E963E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-858383-10 Source Network Address: 10.222.0.13 Source Port: 58812 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616861Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:22:00 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x4E963E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616860Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:22:00 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x4E963B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-858383-10 Source Network Address: 10.222.0.13 Source Port: 58811 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616859Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:22:00 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x4E963B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616858Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:22:00 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x4E9638 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-858383-10 Source Network Address: 10.222.0.13 Source Port: 58810 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616857Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:22:00 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x4E9638 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616856Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:22:00 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x4E955A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-858383-10 Source Network Address: 10.222.0.13 Source Port: 58809 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616855Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:22:00 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x4E955A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616854Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:22:00 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x4E92CC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C30079DC-2A54-3B58-01D5-4EEAC371F87E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58808 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616853Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:21:55 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x4E92CC Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616852Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:21:55 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-612361805-1124405351-4110535095-2177345808 Account Name: 247FE64D-1067-4305-B7C9-01F510A9C781 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E6BBC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616851Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:21:32 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-612361805-1124405351-4110535095-2177345808 Account Name: 247FE64D-1067-4305-B7C9-01F510A9C781 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E6BBC Privileges: SeImpersonatePrivilege467200125480-921436483760003481616850Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:21:32 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-612361805-1124405351-4110535095-2177345808 Account Name: 247FE64D-1067-4305-B7C9-01F510A9C781 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E6BBC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616849Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:21:32 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 247FE64D-1067-4305-B7C9-01F510A9C781 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616848Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:21:32 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x4D6CC6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616847Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:21:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-612361805-1124405351-4110535095-2177345808 Account Name: 247FE64D-1067-4305-B7C9-01F510A9C781 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E3691 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616846Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:21:20 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-612361805-1124405351-4110535095-2177345808 Account Name: 247FE64D-1067-4305-B7C9-01F510A9C781 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E3691 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616845Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:21:20 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-612361805-1124405351-4110535095-2177345808 Account Name: 247FE64D-1067-4305-B7C9-01F510A9C781 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E3691 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616844Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:21:20 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 247FE64D-1067-4305-B7C9-01F510A9C781 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616843Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:21:20 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-612361805-1124405351-4110535095-2177345808 Account Name: 247FE64D-1067-4305-B7C9-01F510A9C781 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E03D1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616842Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:21:15 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-612361805-1124405351-4110535095-2177345808 Account Name: 247FE64D-1067-4305-B7C9-01F510A9C781 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E03D1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616841Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:21:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-612361805-1124405351-4110535095-2177345808 Account Name: 247FE64D-1067-4305-B7C9-01F510A9C781 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4E03D1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616840Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:21:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 247FE64D-1067-4305-B7C9-01F510A9C781 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616839Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:21:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-612361805-1124405351-4110535095-2177345808 Account Name: 247FE64D-1067-4305-B7C9-01F510A9C781 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DF55B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616838Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:21:15 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-612361805-1124405351-4110535095-2177345808 Account Name: 247FE64D-1067-4305-B7C9-01F510A9C781 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DF6A5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616837Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:21:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-612361805-1124405351-4110535095-2177345808 Account Name: 247FE64D-1067-4305-B7C9-01F510A9C781 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DF6A5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616836Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:21:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 247FE64D-1067-4305-B7C9-01F510A9C781 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616835Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:21:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-612361805-1124405351-4110535095-2177345808 Account Name: 247FE64D-1067-4305-B7C9-01F510A9C781 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DF64C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616834Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:21:15 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-612361805-1124405351-4110535095-2177345808 Account Name: 247FE64D-1067-4305-B7C9-01F510A9C781 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DF64C Privileges: SeImpersonatePrivilege467200125480-921436483760003481616833Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:21:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-612361805-1124405351-4110535095-2177345808 Account Name: 247FE64D-1067-4305-B7C9-01F510A9C781 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DF64C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616832Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:21:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 247FE64D-1067-4305-B7C9-01F510A9C781 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616831Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:21:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-612361805-1124405351-4110535095-2177345808 Account Name: 247FE64D-1067-4305-B7C9-01F510A9C781 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DF603 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616830Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:21:15 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-612361805-1124405351-4110535095-2177345808 Account Name: 247FE64D-1067-4305-B7C9-01F510A9C781 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DF603 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616829Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:21:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-612361805-1124405351-4110535095-2177345808 Account Name: 247FE64D-1067-4305-B7C9-01F510A9C781 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DF603 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616828Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:21:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 247FE64D-1067-4305-B7C9-01F510A9C781 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616827Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:21:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-612361805-1124405351-4110535095-2177345808 Account Name: 247FE64D-1067-4305-B7C9-01F510A9C781 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DF55B Privileges: SeImpersonatePrivilege467200125480-921436483760003481616826Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:21:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-612361805-1124405351-4110535095-2177345808 Account Name: 247FE64D-1067-4305-B7C9-01F510A9C781 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4DF55B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616825Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:21:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 247FE64D-1067-4305-B7C9-01F510A9C781 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616824Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:21:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2487476513-1217410571-3015842713-954446390 Account Name: 9443E121-360B-4890-991B-C2B336B2E338 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D1020 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616823Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:20:21 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x4D6CC6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C30079DC-2A54-3B58-01D5-4EEAC371F87E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58796 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616822Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:54 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x4D6CC6 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616821Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:54 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x4D0A5B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616820Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2487476513-1217410571-3015842713-954446390 Account Name: 9443E121-360B-4890-991B-C2B336B2E338 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D303C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616819Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:44 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2487476513-1217410571-3015842713-954446390 Account Name: 9443E121-360B-4890-991B-C2B336B2E338 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D303C Privileges: SeImpersonatePrivilege467200125480-921436483760003481616818Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:44 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2487476513-1217410571-3015842713-954446390 Account Name: 9443E121-360B-4890-991B-C2B336B2E338 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D303C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616817Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:44 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9443E121-360B-4890-991B-C2B336B2E338 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616816Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:44 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2487476513-1217410571-3015842713-954446390 Account Name: 9443E121-360B-4890-991B-C2B336B2E338 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D1E19 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616815Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:43 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2487476513-1217410571-3015842713-954446390 Account Name: 9443E121-360B-4890-991B-C2B336B2E338 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D1E19 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616814Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:43 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2487476513-1217410571-3015842713-954446390 Account Name: 9443E121-360B-4890-991B-C2B336B2E338 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D1E19 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616813Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:43 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9443E121-360B-4890-991B-C2B336B2E338 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616812Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:43 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2487476513-1217410571-3015842713-954446390 Account Name: 9443E121-360B-4890-991B-C2B336B2E338 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D0ED9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616811Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:43 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2487476513-1217410571-3015842713-954446390 Account Name: 9443E121-360B-4890-991B-C2B336B2E338 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D1020 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616810Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:43 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2487476513-1217410571-3015842713-954446390 Account Name: 9443E121-360B-4890-991B-C2B336B2E338 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D1020 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616809Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:43 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9443E121-360B-4890-991B-C2B336B2E338 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616808Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:43 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2487476513-1217410571-3015842713-954446390 Account Name: 9443E121-360B-4890-991B-C2B336B2E338 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D0FC7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616807Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:43 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2487476513-1217410571-3015842713-954446390 Account Name: 9443E121-360B-4890-991B-C2B336B2E338 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D0FC7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616806Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:43 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2487476513-1217410571-3015842713-954446390 Account Name: 9443E121-360B-4890-991B-C2B336B2E338 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D0FC7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616805Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:43 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9443E121-360B-4890-991B-C2B336B2E338 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616804Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:43 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2487476513-1217410571-3015842713-954446390 Account Name: 9443E121-360B-4890-991B-C2B336B2E338 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D0F7E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616803Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:43 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2487476513-1217410571-3015842713-954446390 Account Name: 9443E121-360B-4890-991B-C2B336B2E338 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D0F7E Privileges: SeImpersonatePrivilege467200125480-921436483760003481616802Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:43 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2487476513-1217410571-3015842713-954446390 Account Name: 9443E121-360B-4890-991B-C2B336B2E338 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D0F7E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616801Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:43 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9443E121-360B-4890-991B-C2B336B2E338 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616800Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:43 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2487476513-1217410571-3015842713-954446390 Account Name: 9443E121-360B-4890-991B-C2B336B2E338 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D0ED9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616799Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:43 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2487476513-1217410571-3015842713-954446390 Account Name: 9443E121-360B-4890-991B-C2B336B2E338 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4D0ED9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616798Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:43 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9443E121-360B-4890-991B-C2B336B2E338 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616797Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:43 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x4D0AB5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616796Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:37 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x4D0AB0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616795Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:37 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x4D0AB2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616794Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:37 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x4D0AB2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-858383-10 Source Network Address: 10.222.0.13 Source Port: 58780 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616793Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:37 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x4D0AB2 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616792Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:37 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x4D0AB5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-858383-10 Source Network Address: 10.222.0.13 Source Port: 58781 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616791Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:37 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x4D0AB5 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616790Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:37 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x4D0AB0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-858383-10 Source Network Address: 10.222.0.13 Source Port: 58779 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616789Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:37 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x4D0AB0 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616788Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:37 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x4D0A5B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-858383-10 Source Network Address: 10.222.0.13 Source Port: 58778 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616787Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:37 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x4D0A5B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616786Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:37 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3296920419-1131476541-3067133096-1404975080 Account Name: C4830363-F63D-4370-A8BC-D0B6E837BE53 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CE1D9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616785Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:20 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3296920419-1131476541-3067133096-1404975080 Account Name: C4830363-F63D-4370-A8BC-D0B6E837BE53 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CE1D9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616784Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:20 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3296920419-1131476541-3067133096-1404975080 Account Name: C4830363-F63D-4370-A8BC-D0B6E837BE53 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CE1D9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616783Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:20 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C4830363-F63D-4370-A8BC-D0B6E837BE53 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616782Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:20 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3296920419-1131476541-3067133096-1404975080 Account Name: C4830363-F63D-4370-A8BC-D0B6E837BE53 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CAE28 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616781Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:15 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3296920419-1131476541-3067133096-1404975080 Account Name: C4830363-F63D-4370-A8BC-D0B6E837BE53 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CAE28 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616780Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3296920419-1131476541-3067133096-1404975080 Account Name: C4830363-F63D-4370-A8BC-D0B6E837BE53 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CAE28 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616779Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C4830363-F63D-4370-A8BC-D0B6E837BE53 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616778Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3296920419-1131476541-3067133096-1404975080 Account Name: C4830363-F63D-4370-A8BC-D0B6E837BE53 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C9FD3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616777Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3296920419-1131476541-3067133096-1404975080 Account Name: C4830363-F63D-4370-A8BC-D0B6E837BE53 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CA11B Privileges: SeImpersonatePrivilege467200125480-921436483760003481616776Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3296920419-1131476541-3067133096-1404975080 Account Name: C4830363-F63D-4370-A8BC-D0B6E837BE53 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CA11B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616775Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C4830363-F63D-4370-A8BC-D0B6E837BE53 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616774Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3296920419-1131476541-3067133096-1404975080 Account Name: C4830363-F63D-4370-A8BC-D0B6E837BE53 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CA0C2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616773Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3296920419-1131476541-3067133096-1404975080 Account Name: C4830363-F63D-4370-A8BC-D0B6E837BE53 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CA0C2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616772Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3296920419-1131476541-3067133096-1404975080 Account Name: C4830363-F63D-4370-A8BC-D0B6E837BE53 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CA0C2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616771Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C4830363-F63D-4370-A8BC-D0B6E837BE53 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616770Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3296920419-1131476541-3067133096-1404975080 Account Name: C4830363-F63D-4370-A8BC-D0B6E837BE53 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CA079 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616769Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3296920419-1131476541-3067133096-1404975080 Account Name: C4830363-F63D-4370-A8BC-D0B6E837BE53 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CA079 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616768Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3296920419-1131476541-3067133096-1404975080 Account Name: C4830363-F63D-4370-A8BC-D0B6E837BE53 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4CA079 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616767Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C4830363-F63D-4370-A8BC-D0B6E837BE53 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616766Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3296920419-1131476541-3067133096-1404975080 Account Name: C4830363-F63D-4370-A8BC-D0B6E837BE53 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C9FD3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616765Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3296920419-1131476541-3067133096-1404975080 Account Name: C4830363-F63D-4370-A8BC-D0B6E837BE53 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4C9FD3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616764Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C4830363-F63D-4370-A8BC-D0B6E837BE53 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616763Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:19:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x4C4D65 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616762Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:18:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x4C4D65 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C30079DC-2A54-3B58-01D5-4EEAC371F87E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58766 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616761Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:17:53 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x4C4D65 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616760Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:17:53 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x4BE70E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616759Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:16:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x4BE70E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C30079DC-2A54-3B58-01D5-4EEAC371F87E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58751 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616758Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:15:52 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x4BE70E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616757Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:15:52 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x4B62ED Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616756Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:15:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x4B62ED Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C30079DC-2A54-3B58-01D5-4EEAC371F87E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58746 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616755Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:13:51 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x4B62ED Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616754Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:13:51 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-784010785-1100801081-3200397758-3747147443 Account Name: 2EBB0E21-E439-419C-BE31-C2BEB3EE58DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x49D245 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616753Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:13:11 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x4A4CC1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616752Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:12:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2073500100-1082307514-2170404799-3047757100 Account Name: 7B9719C4-B3BA-4082-BFBF-5D812C15A9B5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x495981 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616751Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:12:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2073500100-1082307514-2170404799-3047757100 Account Name: 7B9719C4-B3BA-4082-BFBF-5D812C15A9B5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A676A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616750Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:11:57 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2073500100-1082307514-2170404799-3047757100 Account Name: 7B9719C4-B3BA-4082-BFBF-5D812C15A9B5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A676A Privileges: SeImpersonatePrivilege467200125480-921436483760003481616749Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:11:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2073500100-1082307514-2170404799-3047757100 Account Name: 7B9719C4-B3BA-4082-BFBF-5D812C15A9B5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A676A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616748Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:11:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7B9719C4-B3BA-4082-BFBF-5D812C15A9B5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616747Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:11:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x4A4CC1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C30079DC-2A54-3B58-01D5-4EEAC371F87E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58700 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616746Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:11:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x4A4CC1 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616745Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:11:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-784010785-1100801081-3200397758-3747147443 Account Name: 2EBB0E21-E439-419C-BE31-C2BEB3EE58DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A1407 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616744Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:11:20 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-784010785-1100801081-3200397758-3747147443 Account Name: 2EBB0E21-E439-419C-BE31-C2BEB3EE58DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A1407 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616743Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:11:20 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-784010785-1100801081-3200397758-3747147443 Account Name: 2EBB0E21-E439-419C-BE31-C2BEB3EE58DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4A1407 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616742Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:11:20 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2EBB0E21-E439-419C-BE31-C2BEB3EE58DF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616741Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:11:20 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-784010785-1100801081-3200397758-3747147443 Account Name: 2EBB0E21-E439-419C-BE31-C2BEB3EE58DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x49DFCA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616740Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:11:15 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-784010785-1100801081-3200397758-3747147443 Account Name: 2EBB0E21-E439-419C-BE31-C2BEB3EE58DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x49DFCA Privileges: SeImpersonatePrivilege467200125480-921436483760003481616739Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:11:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-784010785-1100801081-3200397758-3747147443 Account Name: 2EBB0E21-E439-419C-BE31-C2BEB3EE58DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x49DFCA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616738Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:11:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2EBB0E21-E439-419C-BE31-C2BEB3EE58DF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616737Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:11:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-784010785-1100801081-3200397758-3747147443 Account Name: 2EBB0E21-E439-419C-BE31-C2BEB3EE58DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x49D0FC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616736Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:11:15 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-784010785-1100801081-3200397758-3747147443 Account Name: 2EBB0E21-E439-419C-BE31-C2BEB3EE58DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x49D245 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616735Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:11:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-784010785-1100801081-3200397758-3747147443 Account Name: 2EBB0E21-E439-419C-BE31-C2BEB3EE58DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x49D245 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616734Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:11:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2EBB0E21-E439-419C-BE31-C2BEB3EE58DF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616733Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:11:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-784010785-1100801081-3200397758-3747147443 Account Name: 2EBB0E21-E439-419C-BE31-C2BEB3EE58DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x49D1EC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616732Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:11:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-784010785-1100801081-3200397758-3747147443 Account Name: 2EBB0E21-E439-419C-BE31-C2BEB3EE58DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x49D1EC Privileges: SeImpersonatePrivilege467200125480-921436483760003481616731Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:11:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-784010785-1100801081-3200397758-3747147443 Account Name: 2EBB0E21-E439-419C-BE31-C2BEB3EE58DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x49D1EC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616730Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:11:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2EBB0E21-E439-419C-BE31-C2BEB3EE58DF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616729Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:11:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-784010785-1100801081-3200397758-3747147443 Account Name: 2EBB0E21-E439-419C-BE31-C2BEB3EE58DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x49D1A3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616728Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:11:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-784010785-1100801081-3200397758-3747147443 Account Name: 2EBB0E21-E439-419C-BE31-C2BEB3EE58DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x49D1A3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616727Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:11:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-784010785-1100801081-3200397758-3747147443 Account Name: 2EBB0E21-E439-419C-BE31-C2BEB3EE58DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x49D1A3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616726Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:11:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2EBB0E21-E439-419C-BE31-C2BEB3EE58DF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616725Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:11:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-784010785-1100801081-3200397758-3747147443 Account Name: 2EBB0E21-E439-419C-BE31-C2BEB3EE58DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x49D0FC Privileges: SeImpersonatePrivilege467200125480-921436483760003481616724Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:11:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-784010785-1100801081-3200397758-3747147443 Account Name: 2EBB0E21-E439-419C-BE31-C2BEB3EE58DF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x49D0FC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616723Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:11:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2EBB0E21-E439-419C-BE31-C2BEB3EE58DF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616722Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:11:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2073500100-1082307514-2170404799-3047757100 Account Name: 7B9719C4-B3BA-4082-BFBF-5D812C15A9B5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x49A73A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616721Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:11:01 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2073500100-1082307514-2170404799-3047757100 Account Name: 7B9719C4-B3BA-4082-BFBF-5D812C15A9B5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x49A73A Privileges: SeImpersonatePrivilege467200125480-921436483760003481616720Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:11:01 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2073500100-1082307514-2170404799-3047757100 Account Name: 7B9719C4-B3BA-4082-BFBF-5D812C15A9B5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x49A73A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616719Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:11:01 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7B9719C4-B3BA-4082-BFBF-5D812C15A9B5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616718Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:11:01 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x47F5E9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616717Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 9:10:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2073500100-1082307514-2170404799-3047757100 Account Name: 7B9719C4-B3BA-4082-BFBF-5D812C15A9B5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4966F5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616716Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:10:51 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2073500100-1082307514-2170404799-3047757100 Account Name: 7B9719C4-B3BA-4082-BFBF-5D812C15A9B5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4966F5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616715Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:10:51 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2073500100-1082307514-2170404799-3047757100 Account Name: 7B9719C4-B3BA-4082-BFBF-5D812C15A9B5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4966F5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616714Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:10:51 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7B9719C4-B3BA-4082-BFBF-5D812C15A9B5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616713Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:10:51 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2073500100-1082307514-2170404799-3047757100 Account Name: 7B9719C4-B3BA-4082-BFBF-5D812C15A9B5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x495839 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616712Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:10:51 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2073500100-1082307514-2170404799-3047757100 Account Name: 7B9719C4-B3BA-4082-BFBF-5D812C15A9B5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x495981 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616711Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:10:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2073500100-1082307514-2170404799-3047757100 Account Name: 7B9719C4-B3BA-4082-BFBF-5D812C15A9B5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x495981 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616710Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:10:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7B9719C4-B3BA-4082-BFBF-5D812C15A9B5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616709Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:10:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2073500100-1082307514-2170404799-3047757100 Account Name: 7B9719C4-B3BA-4082-BFBF-5D812C15A9B5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x495928 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616708Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:10:50 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2073500100-1082307514-2170404799-3047757100 Account Name: 7B9719C4-B3BA-4082-BFBF-5D812C15A9B5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x495928 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616707Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:10:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2073500100-1082307514-2170404799-3047757100 Account Name: 7B9719C4-B3BA-4082-BFBF-5D812C15A9B5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x495928 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616706Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:10:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7B9719C4-B3BA-4082-BFBF-5D812C15A9B5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616705Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:10:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2073500100-1082307514-2170404799-3047757100 Account Name: 7B9719C4-B3BA-4082-BFBF-5D812C15A9B5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4958DF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616704Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:10:50 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2073500100-1082307514-2170404799-3047757100 Account Name: 7B9719C4-B3BA-4082-BFBF-5D812C15A9B5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4958DF Privileges: SeImpersonatePrivilege467200125480-921436483760003481616703Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:10:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2073500100-1082307514-2170404799-3047757100 Account Name: 7B9719C4-B3BA-4082-BFBF-5D812C15A9B5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4958DF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616702Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:10:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7B9719C4-B3BA-4082-BFBF-5D812C15A9B5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616701Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:10:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2073500100-1082307514-2170404799-3047757100 Account Name: 7B9719C4-B3BA-4082-BFBF-5D812C15A9B5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x495839 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616700Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:10:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2073500100-1082307514-2170404799-3047757100 Account Name: 7B9719C4-B3BA-4082-BFBF-5D812C15A9B5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x495839 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616699Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:10:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7B9719C4-B3BA-4082-BFBF-5D812C15A9B5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616698Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:10:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2001475480-1257888291-3826531503-1177615936 Account Name: 774C1798-DA23-4AF9-AF3C-14E440FE3046 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47581D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616697Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:10:22 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1707927101-1197171009-1013084583-1534360326 Account Name: 65CCE63D-6141-475B-A771-623C067B745B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x432DFC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616696Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:10:17 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2001475480-1257888291-3826531503-1177615936 Account Name: 774C1798-DA23-4AF9-AF3C-14E440FE3046 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4855E3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616695Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:10:00 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2001475480-1257888291-3826531503-1177615936 Account Name: 774C1798-DA23-4AF9-AF3C-14E440FE3046 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4855E3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616694Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:10:00 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2001475480-1257888291-3826531503-1177615936 Account Name: 774C1798-DA23-4AF9-AF3C-14E440FE3046 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4855E3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616693Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:10:00 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 774C1798-DA23-4AF9-AF3C-14E440FE3046 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616692Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:10:00 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2910445814-1278934118-2201490071-1290091737 Account Name: AD79E0F6-FC66-4C3A-9712-3883D93CE54C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x46F356 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616691Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:59 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2001475480-1257888291-3826531503-1177615936 Account Name: 774C1798-DA23-4AF9-AF3C-14E440FE3046 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x483E20 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616690Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:59 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2001475480-1257888291-3826531503-1177615936 Account Name: 774C1798-DA23-4AF9-AF3C-14E440FE3046 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x483E20 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616689Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:59 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2001475480-1257888291-3826531503-1177615936 Account Name: 774C1798-DA23-4AF9-AF3C-14E440FE3046 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x483E20 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616688Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:59 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 774C1798-DA23-4AF9-AF3C-14E440FE3046 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616687Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:59 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2001475480-1257888291-3826531503-1177615936 Account Name: 774C1798-DA23-4AF9-AF3C-14E440FE3046 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48368E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616686Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2001475480-1257888291-3826531503-1177615936 Account Name: 774C1798-DA23-4AF9-AF3C-14E440FE3046 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48368E Privileges: SeImpersonatePrivilege467200125480-921436483760003481616685Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2001475480-1257888291-3826531503-1177615936 Account Name: 774C1798-DA23-4AF9-AF3C-14E440FE3046 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x48368E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616684Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 774C1798-DA23-4AF9-AF3C-14E440FE3046 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616683Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x47F5E9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C30079DC-2A54-3B58-01D5-4EEAC371F87E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58651 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616682Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:49 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x47F5E9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616681Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:49 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2001475480-1257888291-3826531503-1177615936 Account Name: 774C1798-DA23-4AF9-AF3C-14E440FE3046 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x479EAE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616680Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2001475480-1257888291-3826531503-1177615936 Account Name: 774C1798-DA23-4AF9-AF3C-14E440FE3046 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x479EAE Privileges: SeImpersonatePrivilege467200125480-921436483760003481616679Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:28 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2001475480-1257888291-3826531503-1177615936 Account Name: 774C1798-DA23-4AF9-AF3C-14E440FE3046 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x479EAE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616678Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:28 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 774C1798-DA23-4AF9-AF3C-14E440FE3046 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616677Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:28 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x447AAC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616676Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2001475480-1257888291-3826531503-1177615936 Account Name: 774C1798-DA23-4AF9-AF3C-14E440FE3046 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x476564 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616675Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:22 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2001475480-1257888291-3826531503-1177615936 Account Name: 774C1798-DA23-4AF9-AF3C-14E440FE3046 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x476564 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616674Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2001475480-1257888291-3826531503-1177615936 Account Name: 774C1798-DA23-4AF9-AF3C-14E440FE3046 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x476564 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616673Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 774C1798-DA23-4AF9-AF3C-14E440FE3046 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616672Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2001475480-1257888291-3826531503-1177615936 Account Name: 774C1798-DA23-4AF9-AF3C-14E440FE3046 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4756D6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616671Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:21 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2001475480-1257888291-3826531503-1177615936 Account Name: 774C1798-DA23-4AF9-AF3C-14E440FE3046 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47581D Privileges: SeImpersonatePrivilege467200125480-921436483760003481616670Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:21 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2001475480-1257888291-3826531503-1177615936 Account Name: 774C1798-DA23-4AF9-AF3C-14E440FE3046 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47581D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616669Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:21 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 774C1798-DA23-4AF9-AF3C-14E440FE3046 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616668Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:21 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2001475480-1257888291-3826531503-1177615936 Account Name: 774C1798-DA23-4AF9-AF3C-14E440FE3046 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4757C4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616667Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:21 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2001475480-1257888291-3826531503-1177615936 Account Name: 774C1798-DA23-4AF9-AF3C-14E440FE3046 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4757C4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616666Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:21 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2001475480-1257888291-3826531503-1177615936 Account Name: 774C1798-DA23-4AF9-AF3C-14E440FE3046 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4757C4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616665Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:21 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 774C1798-DA23-4AF9-AF3C-14E440FE3046 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616664Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:21 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2001475480-1257888291-3826531503-1177615936 Account Name: 774C1798-DA23-4AF9-AF3C-14E440FE3046 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47577B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616663Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:21 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2001475480-1257888291-3826531503-1177615936 Account Name: 774C1798-DA23-4AF9-AF3C-14E440FE3046 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47577B Privileges: SeImpersonatePrivilege467200125480-921436483760003481616662Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:21 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2001475480-1257888291-3826531503-1177615936 Account Name: 774C1798-DA23-4AF9-AF3C-14E440FE3046 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47577B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616661Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:21 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 774C1798-DA23-4AF9-AF3C-14E440FE3046 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616660Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:21 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2001475480-1257888291-3826531503-1177615936 Account Name: 774C1798-DA23-4AF9-AF3C-14E440FE3046 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4756D6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616659Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:21 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2001475480-1257888291-3826531503-1177615936 Account Name: 774C1798-DA23-4AF9-AF3C-14E440FE3046 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4756D6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616658Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:21 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 774C1798-DA23-4AF9-AF3C-14E440FE3046 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616657Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:21 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2910445814-1278934118-2201490071-1290091737 Account Name: AD79E0F6-FC66-4C3A-9712-3883D93CE54C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47194D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616656Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:12 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2910445814-1278934118-2201490071-1290091737 Account Name: AD79E0F6-FC66-4C3A-9712-3883D93CE54C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47194D Privileges: SeImpersonatePrivilege467200125480-921436483760003481616655Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:12 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2910445814-1278934118-2201490071-1290091737 Account Name: AD79E0F6-FC66-4C3A-9712-3883D93CE54C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47194D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616654Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:12 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AD79E0F6-FC66-4C3A-9712-3883D93CE54C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616653Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:12 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2910445814-1278934118-2201490071-1290091737 Account Name: AD79E0F6-FC66-4C3A-9712-3883D93CE54C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47008F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616652Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:11 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2910445814-1278934118-2201490071-1290091737 Account Name: AD79E0F6-FC66-4C3A-9712-3883D93CE54C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47008F Privileges: SeImpersonatePrivilege467200125480-921436483760003481616651Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:11 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2910445814-1278934118-2201490071-1290091737 Account Name: AD79E0F6-FC66-4C3A-9712-3883D93CE54C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x47008F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616650Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:11 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AD79E0F6-FC66-4C3A-9712-3883D93CE54C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616649Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:11 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2910445814-1278934118-2201490071-1290091737 Account Name: AD79E0F6-FC66-4C3A-9712-3883D93CE54C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x46F20A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616648Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:11 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2910445814-1278934118-2201490071-1290091737 Account Name: AD79E0F6-FC66-4C3A-9712-3883D93CE54C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x46F356 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616647Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:11 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2910445814-1278934118-2201490071-1290091737 Account Name: AD79E0F6-FC66-4C3A-9712-3883D93CE54C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x46F356 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616646Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:11 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AD79E0F6-FC66-4C3A-9712-3883D93CE54C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616645Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:11 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2910445814-1278934118-2201490071-1290091737 Account Name: AD79E0F6-FC66-4C3A-9712-3883D93CE54C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x46F2FD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616644Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:11 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2910445814-1278934118-2201490071-1290091737 Account Name: AD79E0F6-FC66-4C3A-9712-3883D93CE54C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x46F2FD Privileges: SeImpersonatePrivilege467200125480-921436483760003481616643Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:11 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2910445814-1278934118-2201490071-1290091737 Account Name: AD79E0F6-FC66-4C3A-9712-3883D93CE54C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x46F2FD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616642Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:11 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AD79E0F6-FC66-4C3A-9712-3883D93CE54C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616641Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:11 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2910445814-1278934118-2201490071-1290091737 Account Name: AD79E0F6-FC66-4C3A-9712-3883D93CE54C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x46F2B4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616640Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:11 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2910445814-1278934118-2201490071-1290091737 Account Name: AD79E0F6-FC66-4C3A-9712-3883D93CE54C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x46F2B4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616639Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:11 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2910445814-1278934118-2201490071-1290091737 Account Name: AD79E0F6-FC66-4C3A-9712-3883D93CE54C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x46F2B4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616638Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:11 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AD79E0F6-FC66-4C3A-9712-3883D93CE54C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616637Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:11 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2910445814-1278934118-2201490071-1290091737 Account Name: AD79E0F6-FC66-4C3A-9712-3883D93CE54C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x46F20A Privileges: SeImpersonatePrivilege467200125480-921436483760003481616636Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:11 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2910445814-1278934118-2201490071-1290091737 Account Name: AD79E0F6-FC66-4C3A-9712-3883D93CE54C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x46F20A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616635Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:11 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AD79E0F6-FC66-4C3A-9712-3883D93CE54C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616634Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:09:11 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2069023360-1222633076-174117304-2309244381 Account Name: 7B52CA80-E674-48DF-B8D1-600ADD45A489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3ECB45 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616633Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:08:52 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-137418871-1132670392-827034289-3267445240 Account Name: 0830D877-2DB8-4383-B18A-4B31F841C1C2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3EE790 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616632Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:08:43 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3841015709-1165805922-2541962919-3790822264 Account Name: E4F13F9D-C962-457C-A746-8397785BF3E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x419956 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616631Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:08:25 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-784021695-1150500091-3654063549-3650407310 Account Name: 2EBB38BF-3CFB-4493-BD95-CCD98ECB94D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41C1AB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616630Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:08:18 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1707927101-1197171009-1013084583-1534360326 Account Name: 65CCE63D-6141-475B-A771-623C067B745B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x449CC6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616629Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:08:03 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1707927101-1197171009-1013084583-1534360326 Account Name: 65CCE63D-6141-475B-A771-623C067B745B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x449CC6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616628Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:08:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1707927101-1197171009-1013084583-1534360326 Account Name: 65CCE63D-6141-475B-A771-623C067B745B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x449CC6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616627Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:08:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 65CCE63D-6141-475B-A771-623C067B745B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616626Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:08:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x447AAC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C30079DC-2A54-3B58-01D5-4EEAC371F87E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58600 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616625Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:07:48 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x447AAC Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616624Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:07:48 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-784021695-1150500091-3654063549-3650407310 Account Name: 2EBB38BF-3CFB-4493-BD95-CCD98ECB94D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x444739 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616623Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:07:29 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-784021695-1150500091-3654063549-3650407310 Account Name: 2EBB38BF-3CFB-4493-BD95-CCD98ECB94D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x444739 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616622Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:07:29 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-784021695-1150500091-3654063549-3650407310 Account Name: 2EBB38BF-3CFB-4493-BD95-CCD98ECB94D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x444739 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616621Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:07:29 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2EBB38BF-3CFB-4493-BD95-CCD98ECB94D9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616620Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:07:29 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-784021695-1150500091-3654063549-3650407310 Account Name: 2EBB38BF-3CFB-4493-BD95-CCD98ECB94D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x443AC4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616619Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:07:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-784021695-1150500091-3654063549-3650407310 Account Name: 2EBB38BF-3CFB-4493-BD95-CCD98ECB94D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x443AC4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616618Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:07:28 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-784021695-1150500091-3654063549-3650407310 Account Name: 2EBB38BF-3CFB-4493-BD95-CCD98ECB94D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x443AC4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616617Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:07:28 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2EBB38BF-3CFB-4493-BD95-CCD98ECB94D9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616616Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:07:28 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2960131516-1092994432-1506464649-688986934 Account Name: B07005BC-C580-4125-89D3-CA59361B1129 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x427276 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616615Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:07:23 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-784021695-1150500091-3654063549-3650407310 Account Name: 2EBB38BF-3CFB-4493-BD95-CCD98ECB94D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x43D48C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616614Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:07:22 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-784021695-1150500091-3654063549-3650407310 Account Name: 2EBB38BF-3CFB-4493-BD95-CCD98ECB94D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x43D48C Privileges: SeImpersonatePrivilege467200125480-921436483760003481616613Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:07:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-784021695-1150500091-3654063549-3650407310 Account Name: 2EBB38BF-3CFB-4493-BD95-CCD98ECB94D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x43D48C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616612Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:07:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2EBB38BF-3CFB-4493-BD95-CCD98ECB94D9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616611Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:07:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-784021695-1150500091-3654063549-3650407310 Account Name: 2EBB38BF-3CFB-4493-BD95-CCD98ECB94D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x43BE3C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616610Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:07:20 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-784021695-1150500091-3654063549-3650407310 Account Name: 2EBB38BF-3CFB-4493-BD95-CCD98ECB94D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x43BE3C Privileges: SeImpersonatePrivilege467200125480-921436483760003481616609Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:07:20 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-784021695-1150500091-3654063549-3650407310 Account Name: 2EBB38BF-3CFB-4493-BD95-CCD98ECB94D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x43BE3C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616608Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:07:20 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2EBB38BF-3CFB-4493-BD95-CCD98ECB94D9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616607Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:07:20 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-784021695-1150500091-3654063549-3650407310 Account Name: 2EBB38BF-3CFB-4493-BD95-CCD98ECB94D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x43B5C5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616606Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:07:20 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-784021695-1150500091-3654063549-3650407310 Account Name: 2EBB38BF-3CFB-4493-BD95-CCD98ECB94D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x43B5C5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616605Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:07:20 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-784021695-1150500091-3654063549-3650407310 Account Name: 2EBB38BF-3CFB-4493-BD95-CCD98ECB94D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x43B5C5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616604Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:07:20 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2EBB38BF-3CFB-4493-BD95-CCD98ECB94D9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616603Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:07:20 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1707927101-1197171009-1013084583-1534360326 Account Name: 65CCE63D-6141-475B-A771-623C067B745B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x437A1D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616602Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:07:05 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1707927101-1197171009-1013084583-1534360326 Account Name: 65CCE63D-6141-475B-A771-623C067B745B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x437A1D Privileges: SeImpersonatePrivilege467200125480-921436483760003481616601Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:07:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1707927101-1197171009-1013084583-1534360326 Account Name: 65CCE63D-6141-475B-A771-623C067B745B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x437A1D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616600Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:07:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 65CCE63D-6141-475B-A771-623C067B745B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616599Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:07:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1707927101-1197171009-1013084583-1534360326 Account Name: 65CCE63D-6141-475B-A771-623C067B745B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x433CD6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616598Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:06:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1707927101-1197171009-1013084583-1534360326 Account Name: 65CCE63D-6141-475B-A771-623C067B745B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x433CD6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616597Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:06:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1707927101-1197171009-1013084583-1534360326 Account Name: 65CCE63D-6141-475B-A771-623C067B745B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x433CD6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616596Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:06:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 65CCE63D-6141-475B-A771-623C067B745B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616595Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:06:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1707927101-1197171009-1013084583-1534360326 Account Name: 65CCE63D-6141-475B-A771-623C067B745B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x432CAB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616594Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:06:57 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1707927101-1197171009-1013084583-1534360326 Account Name: 65CCE63D-6141-475B-A771-623C067B745B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x432DFC Privileges: SeImpersonatePrivilege467200125480-921436483760003481616593Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:06:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1707927101-1197171009-1013084583-1534360326 Account Name: 65CCE63D-6141-475B-A771-623C067B745B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x432DFC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616592Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:06:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 65CCE63D-6141-475B-A771-623C067B745B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616591Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:06:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1707927101-1197171009-1013084583-1534360326 Account Name: 65CCE63D-6141-475B-A771-623C067B745B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x432D9A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616590Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:06:57 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1707927101-1197171009-1013084583-1534360326 Account Name: 65CCE63D-6141-475B-A771-623C067B745B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x432D9A Privileges: SeImpersonatePrivilege467200125480-921436483760003481616589Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:06:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1707927101-1197171009-1013084583-1534360326 Account Name: 65CCE63D-6141-475B-A771-623C067B745B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x432D9A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616588Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:06:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 65CCE63D-6141-475B-A771-623C067B745B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616587Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:06:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1707927101-1197171009-1013084583-1534360326 Account Name: 65CCE63D-6141-475B-A771-623C067B745B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x432D51 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616586Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:06:57 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1707927101-1197171009-1013084583-1534360326 Account Name: 65CCE63D-6141-475B-A771-623C067B745B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x432D51 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616585Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:06:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1707927101-1197171009-1013084583-1534360326 Account Name: 65CCE63D-6141-475B-A771-623C067B745B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x432D51 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616584Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:06:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 65CCE63D-6141-475B-A771-623C067B745B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616583Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:06:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1707927101-1197171009-1013084583-1534360326 Account Name: 65CCE63D-6141-475B-A771-623C067B745B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x432CAB Privileges: SeImpersonatePrivilege467200125480-921436483760003481616582Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:06:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1707927101-1197171009-1013084583-1534360326 Account Name: 65CCE63D-6141-475B-A771-623C067B745B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x432CAB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616581Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:06:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 65CCE63D-6141-475B-A771-623C067B745B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616580Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:06:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-784021695-1150500091-3654063549-3650407310 Account Name: 2EBB38BF-3CFB-4493-BD95-CCD98ECB94D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x431570 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616579Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:06:50 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-784021695-1150500091-3654063549-3650407310 Account Name: 2EBB38BF-3CFB-4493-BD95-CCD98ECB94D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x431570 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616578Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:06:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-784021695-1150500091-3654063549-3650407310 Account Name: 2EBB38BF-3CFB-4493-BD95-CCD98ECB94D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x431570 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616577Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:06:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2EBB38BF-3CFB-4493-BD95-CCD98ECB94D9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616576Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:06:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3841015709-1165805922-2541962919-3790822264 Account Name: E4F13F9D-C962-457C-A746-8397785BF3E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4302B1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616575Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:06:48 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3841015709-1165805922-2541962919-3790822264 Account Name: E4F13F9D-C962-457C-A746-8397785BF3E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4302B1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616574Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:06:48 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3841015709-1165805922-2541962919-3790822264 Account Name: E4F13F9D-C962-457C-A746-8397785BF3E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4302B1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616573Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:06:48 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E4F13F9D-C962-457C-A746-8397785BF3E1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616572Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:06:48 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2960131516-1092994432-1506464649-688986934 Account Name: B07005BC-C580-4125-89D3-CA59361B1129 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42C85C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616571Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:06:38 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2960131516-1092994432-1506464649-688986934 Account Name: B07005BC-C580-4125-89D3-CA59361B1129 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42C85C Privileges: SeImpersonatePrivilege467200125480-921436483760003481616570Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:06:38 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2960131516-1092994432-1506464649-688986934 Account Name: B07005BC-C580-4125-89D3-CA59361B1129 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42C85C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616569Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:06:38 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B07005BC-C580-4125-89D3-CA59361B1129 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616568Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:06:38 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2960131516-1092994432-1506464649-688986934 Account Name: B07005BC-C580-4125-89D3-CA59361B1129 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4280E0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616567Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:06:26 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2960131516-1092994432-1506464649-688986934 Account Name: B07005BC-C580-4125-89D3-CA59361B1129 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4280E0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616566Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:06:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2960131516-1092994432-1506464649-688986934 Account Name: B07005BC-C580-4125-89D3-CA59361B1129 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4280E0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616565Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:06:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B07005BC-C580-4125-89D3-CA59361B1129 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616564Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:06:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2960131516-1092994432-1506464649-688986934 Account Name: B07005BC-C580-4125-89D3-CA59361B1129 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42712F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616563Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:06:26 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2960131516-1092994432-1506464649-688986934 Account Name: B07005BC-C580-4125-89D3-CA59361B1129 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x427276 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616562Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:06:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2960131516-1092994432-1506464649-688986934 Account Name: B07005BC-C580-4125-89D3-CA59361B1129 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x427276 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616561Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:06:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B07005BC-C580-4125-89D3-CA59361B1129 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616560Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:06:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2960131516-1092994432-1506464649-688986934 Account Name: B07005BC-C580-4125-89D3-CA59361B1129 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42721D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616559Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:06:26 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2960131516-1092994432-1506464649-688986934 Account Name: B07005BC-C580-4125-89D3-CA59361B1129 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42721D Privileges: SeImpersonatePrivilege467200125480-921436483760003481616558Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:06:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2960131516-1092994432-1506464649-688986934 Account Name: B07005BC-C580-4125-89D3-CA59361B1129 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42721D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616557Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:06:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B07005BC-C580-4125-89D3-CA59361B1129 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616556Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:06:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2960131516-1092994432-1506464649-688986934 Account Name: B07005BC-C580-4125-89D3-CA59361B1129 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4271D4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616555Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:06:26 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2960131516-1092994432-1506464649-688986934 Account Name: B07005BC-C580-4125-89D3-CA59361B1129 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4271D4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616554Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:06:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2960131516-1092994432-1506464649-688986934 Account Name: B07005BC-C580-4125-89D3-CA59361B1129 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4271D4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616553Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:06:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B07005BC-C580-4125-89D3-CA59361B1129 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616552Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:06:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2960131516-1092994432-1506464649-688986934 Account Name: B07005BC-C580-4125-89D3-CA59361B1129 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42712F Privileges: SeImpersonatePrivilege467200125480-921436483760003481616551Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:06:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2960131516-1092994432-1506464649-688986934 Account Name: B07005BC-C580-4125-89D3-CA59361B1129 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x42712F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616550Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:06:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B07005BC-C580-4125-89D3-CA59361B1129 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616549Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:06:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x4224AC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616548Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:06:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-784021695-1150500091-3654063549-3650407310 Account Name: 2EBB38BF-3CFB-4493-BD95-CCD98ECB94D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x423409 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616547Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:47 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-784021695-1150500091-3654063549-3650407310 Account Name: 2EBB38BF-3CFB-4493-BD95-CCD98ECB94D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x423409 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616546Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:47 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-784021695-1150500091-3654063549-3650407310 Account Name: 2EBB38BF-3CFB-4493-BD95-CCD98ECB94D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x423409 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616545Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:47 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2EBB38BF-3CFB-4493-BD95-CCD98ECB94D9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616544Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:47 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x4224AC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C30079DC-2A54-3B58-01D5-4EEAC371F87E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58527 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616543Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:47 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x4224AC Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616542Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:47 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3841015709-1165805922-2541962919-3790822264 Account Name: E4F13F9D-C962-457C-A746-8397785BF3E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x420BAE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616541Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:45 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3841015709-1165805922-2541962919-3790822264 Account Name: E4F13F9D-C962-457C-A746-8397785BF3E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x420BAE Privileges: SeImpersonatePrivilege467200125480-921436483760003481616540Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:45 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3841015709-1165805922-2541962919-3790822264 Account Name: E4F13F9D-C962-457C-A746-8397785BF3E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x420BAE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616539Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:45 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E4F13F9D-C962-457C-A746-8397785BF3E1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616538Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:45 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-784021695-1150500091-3654063549-3650407310 Account Name: 2EBB38BF-3CFB-4493-BD95-CCD98ECB94D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41D8AE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616537Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:42 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-784021695-1150500091-3654063549-3650407310 Account Name: 2EBB38BF-3CFB-4493-BD95-CCD98ECB94D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41D8AE Privileges: SeImpersonatePrivilege467200125480-921436483760003481616536Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:42 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-784021695-1150500091-3654063549-3650407310 Account Name: 2EBB38BF-3CFB-4493-BD95-CCD98ECB94D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41D8AE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616535Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:42 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2EBB38BF-3CFB-4493-BD95-CCD98ECB94D9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616534Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:42 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-784021695-1150500091-3654063549-3650407310 Account Name: 2EBB38BF-3CFB-4493-BD95-CCD98ECB94D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41C060 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616533Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:42 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-784021695-1150500091-3654063549-3650407310 Account Name: 2EBB38BF-3CFB-4493-BD95-CCD98ECB94D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41C1AB Privileges: SeImpersonatePrivilege467200125480-921436483760003481616532Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:42 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-784021695-1150500091-3654063549-3650407310 Account Name: 2EBB38BF-3CFB-4493-BD95-CCD98ECB94D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41C1AB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616531Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:42 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2EBB38BF-3CFB-4493-BD95-CCD98ECB94D9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616530Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:42 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-784021695-1150500091-3654063549-3650407310 Account Name: 2EBB38BF-3CFB-4493-BD95-CCD98ECB94D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41C152 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616529Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:42 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-784021695-1150500091-3654063549-3650407310 Account Name: 2EBB38BF-3CFB-4493-BD95-CCD98ECB94D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41C152 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616528Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:42 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-784021695-1150500091-3654063549-3650407310 Account Name: 2EBB38BF-3CFB-4493-BD95-CCD98ECB94D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41C152 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616527Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:42 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2EBB38BF-3CFB-4493-BD95-CCD98ECB94D9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616526Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:42 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-784021695-1150500091-3654063549-3650407310 Account Name: 2EBB38BF-3CFB-4493-BD95-CCD98ECB94D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41C109 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616525Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:42 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-784021695-1150500091-3654063549-3650407310 Account Name: 2EBB38BF-3CFB-4493-BD95-CCD98ECB94D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41C109 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616524Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:42 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-784021695-1150500091-3654063549-3650407310 Account Name: 2EBB38BF-3CFB-4493-BD95-CCD98ECB94D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41C109 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616523Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:42 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2EBB38BF-3CFB-4493-BD95-CCD98ECB94D9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616522Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:42 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-784021695-1150500091-3654063549-3650407310 Account Name: 2EBB38BF-3CFB-4493-BD95-CCD98ECB94D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41C060 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616521Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:42 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-784021695-1150500091-3654063549-3650407310 Account Name: 2EBB38BF-3CFB-4493-BD95-CCD98ECB94D9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41C060 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616520Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:42 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2EBB38BF-3CFB-4493-BD95-CCD98ECB94D9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616519Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:42 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3841015709-1165805922-2541962919-3790822264 Account Name: E4F13F9D-C962-457C-A746-8397785BF3E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41A758 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616518Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:39 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3841015709-1165805922-2541962919-3790822264 Account Name: E4F13F9D-C962-457C-A746-8397785BF3E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41A758 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616517Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:39 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3841015709-1165805922-2541962919-3790822264 Account Name: E4F13F9D-C962-457C-A746-8397785BF3E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41A758 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616516Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:39 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E4F13F9D-C962-457C-A746-8397785BF3E1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616515Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:39 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3841015709-1165805922-2541962919-3790822264 Account Name: E4F13F9D-C962-457C-A746-8397785BF3E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41980E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616514Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:38 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3841015709-1165805922-2541962919-3790822264 Account Name: E4F13F9D-C962-457C-A746-8397785BF3E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x419956 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616513Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:38 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3841015709-1165805922-2541962919-3790822264 Account Name: E4F13F9D-C962-457C-A746-8397785BF3E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x419956 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616512Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:38 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E4F13F9D-C962-457C-A746-8397785BF3E1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616511Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:38 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3841015709-1165805922-2541962919-3790822264 Account Name: E4F13F9D-C962-457C-A746-8397785BF3E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4198FD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616510Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:38 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3841015709-1165805922-2541962919-3790822264 Account Name: E4F13F9D-C962-457C-A746-8397785BF3E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4198FD Privileges: SeImpersonatePrivilege467200125480-921436483760003481616509Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:38 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3841015709-1165805922-2541962919-3790822264 Account Name: E4F13F9D-C962-457C-A746-8397785BF3E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4198FD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616508Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:38 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E4F13F9D-C962-457C-A746-8397785BF3E1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616507Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:38 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3841015709-1165805922-2541962919-3790822264 Account Name: E4F13F9D-C962-457C-A746-8397785BF3E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4198B4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616506Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:38 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3841015709-1165805922-2541962919-3790822264 Account Name: E4F13F9D-C962-457C-A746-8397785BF3E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4198B4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616505Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:38 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3841015709-1165805922-2541962919-3790822264 Account Name: E4F13F9D-C962-457C-A746-8397785BF3E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4198B4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616504Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:38 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E4F13F9D-C962-457C-A746-8397785BF3E1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616503Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:38 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3841015709-1165805922-2541962919-3790822264 Account Name: E4F13F9D-C962-457C-A746-8397785BF3E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41980E Privileges: SeImpersonatePrivilege467200125480-921436483760003481616502Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:38 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3841015709-1165805922-2541962919-3790822264 Account Name: E4F13F9D-C962-457C-A746-8397785BF3E1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41980E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616501Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:38 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E4F13F9D-C962-457C-A746-8397785BF3E1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616500Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:38 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2069023360-1222633076-174117304-2309244381 Account Name: 7B52CA80-E674-48DF-B8D1-600ADD45A489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x414DFB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616499Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:17 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2069023360-1222633076-174117304-2309244381 Account Name: 7B52CA80-E674-48DF-B8D1-600ADD45A489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x414DFB Privileges: SeImpersonatePrivilege467200125480-921436483760003481616498Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2069023360-1222633076-174117304-2309244381 Account Name: 7B52CA80-E674-48DF-B8D1-600ADD45A489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x414DFB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616497Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7B52CA80-E674-48DF-B8D1-600ADD45A489 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616496Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2069023360-1222633076-174117304-2309244381 Account Name: 7B52CA80-E674-48DF-B8D1-600ADD45A489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x414343 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616495Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:17 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2069023360-1222633076-174117304-2309244381 Account Name: 7B52CA80-E674-48DF-B8D1-600ADD45A489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x414343 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616494Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2069023360-1222633076-174117304-2309244381 Account Name: 7B52CA80-E674-48DF-B8D1-600ADD45A489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x414343 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616493Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7B52CA80-E674-48DF-B8D1-600ADD45A489 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616492Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2069023360-1222633076-174117304-2309244381 Account Name: 7B52CA80-E674-48DF-B8D1-600ADD45A489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4117E4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616491Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:08 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2069023360-1222633076-174117304-2309244381 Account Name: 7B52CA80-E674-48DF-B8D1-600ADD45A489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4117E4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616490Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:08 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2069023360-1222633076-174117304-2309244381 Account Name: 7B52CA80-E674-48DF-B8D1-600ADD45A489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4117E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616489Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:08 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7B52CA80-E674-48DF-B8D1-600ADD45A489 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616488Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:08 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2069023360-1222633076-174117304-2309244381 Account Name: 7B52CA80-E674-48DF-B8D1-600ADD45A489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41043B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616487Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:06 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2069023360-1222633076-174117304-2309244381 Account Name: 7B52CA80-E674-48DF-B8D1-600ADD45A489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41043B Privileges: SeImpersonatePrivilege467200125480-921436483760003481616486Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:06 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2069023360-1222633076-174117304-2309244381 Account Name: 7B52CA80-E674-48DF-B8D1-600ADD45A489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x41043B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616485Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:06 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7B52CA80-E674-48DF-B8D1-600ADD45A489 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616484Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:06 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2069023360-1222633076-174117304-2309244381 Account Name: 7B52CA80-E674-48DF-B8D1-600ADD45A489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x40FCCE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616483Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:06 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2069023360-1222633076-174117304-2309244381 Account Name: 7B52CA80-E674-48DF-B8D1-600ADD45A489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x40FCCE Privileges: SeImpersonatePrivilege467200125480-921436483760003481616482Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:06 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2069023360-1222633076-174117304-2309244381 Account Name: 7B52CA80-E674-48DF-B8D1-600ADD45A489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x40FCCE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616481Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:06 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7B52CA80-E674-48DF-B8D1-600ADD45A489 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616480Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:05:06 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x3E5410 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616479Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:04:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4058881177-1162974437-3181412766-4182388 Account Name: F1ED9C99-94E5-4551-9E81-A0BD74D13F00 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FF6AC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616478Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:04:44 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4058881177-1162974437-3181412766-4182388 Account Name: F1ED9C99-94E5-4551-9E81-A0BD74D13F00 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4073F9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616477Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:04:40 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4058881177-1162974437-3181412766-4182388 Account Name: F1ED9C99-94E5-4551-9E81-A0BD74D13F00 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4073F9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616476Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:04:40 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4058881177-1162974437-3181412766-4182388 Account Name: F1ED9C99-94E5-4551-9E81-A0BD74D13F00 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4073F9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616475Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:04:40 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F1ED9C99-94E5-4551-9E81-A0BD74D13F00 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616474Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:04:40 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-137418871-1132670392-827034289-3267445240 Account Name: 0830D877-2DB8-4383-B18A-4B31F841C1C2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x40465A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616473Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:04:38 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-137418871-1132670392-827034289-3267445240 Account Name: 0830D877-2DB8-4383-B18A-4B31F841C1C2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x40465A Privileges: SeImpersonatePrivilege467200125480-921436483760003481616472Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:04:38 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-137418871-1132670392-827034289-3267445240 Account Name: 0830D877-2DB8-4383-B18A-4B31F841C1C2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x40465A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616471Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:04:38 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0830D877-2DB8-4383-B18A-4B31F841C1C2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616470Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:04:38 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-137418871-1132670392-827034289-3267445240 Account Name: 0830D877-2DB8-4383-B18A-4B31F841C1C2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4029A8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616469Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:04:37 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-137418871-1132670392-827034289-3267445240 Account Name: 0830D877-2DB8-4383-B18A-4B31F841C1C2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4029A8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616468Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:04:37 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-137418871-1132670392-827034289-3267445240 Account Name: 0830D877-2DB8-4383-B18A-4B31F841C1C2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x4029A8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616467Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:04:37 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0830D877-2DB8-4383-B18A-4B31F841C1C2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616466Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:04:37 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-137418871-1132670392-827034289-3267445240 Account Name: 0830D877-2DB8-4383-B18A-4B31F841C1C2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x402219 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616465Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:04:37 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-137418871-1132670392-827034289-3267445240 Account Name: 0830D877-2DB8-4383-B18A-4B31F841C1C2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x402219 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616464Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:04:37 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-137418871-1132670392-827034289-3267445240 Account Name: 0830D877-2DB8-4383-B18A-4B31F841C1C2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x402219 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616463Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:04:37 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0830D877-2DB8-4383-B18A-4B31F841C1C2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616462Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:04:37 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4058881177-1162974437-3181412766-4182388 Account Name: F1ED9C99-94E5-4551-9E81-A0BD74D13F00 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x400507 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616461Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:04:34 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4058881177-1162974437-3181412766-4182388 Account Name: F1ED9C99-94E5-4551-9E81-A0BD74D13F00 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x400507 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616460Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:04:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4058881177-1162974437-3181412766-4182388 Account Name: F1ED9C99-94E5-4551-9E81-A0BD74D13F00 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x400507 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616459Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:04:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F1ED9C99-94E5-4551-9E81-A0BD74D13F00 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616458Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:04:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4058881177-1162974437-3181412766-4182388 Account Name: F1ED9C99-94E5-4551-9E81-A0BD74D13F00 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FF55E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616457Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:04:34 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4058881177-1162974437-3181412766-4182388 Account Name: F1ED9C99-94E5-4551-9E81-A0BD74D13F00 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FF6AC Privileges: SeImpersonatePrivilege467200125480-921436483760003481616456Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:04:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4058881177-1162974437-3181412766-4182388 Account Name: F1ED9C99-94E5-4551-9E81-A0BD74D13F00 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FF6AC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616455Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:04:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F1ED9C99-94E5-4551-9E81-A0BD74D13F00 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616454Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:04:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4058881177-1162974437-3181412766-4182388 Account Name: F1ED9C99-94E5-4551-9E81-A0BD74D13F00 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FF651 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616453Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:04:34 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4058881177-1162974437-3181412766-4182388 Account Name: F1ED9C99-94E5-4551-9E81-A0BD74D13F00 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FF651 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616452Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:04:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4058881177-1162974437-3181412766-4182388 Account Name: F1ED9C99-94E5-4551-9E81-A0BD74D13F00 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FF651 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616451Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:04:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F1ED9C99-94E5-4551-9E81-A0BD74D13F00 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616450Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:04:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4058881177-1162974437-3181412766-4182388 Account Name: F1ED9C99-94E5-4551-9E81-A0BD74D13F00 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FF608 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616449Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:04:34 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4058881177-1162974437-3181412766-4182388 Account Name: F1ED9C99-94E5-4551-9E81-A0BD74D13F00 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FF608 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616448Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:04:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4058881177-1162974437-3181412766-4182388 Account Name: F1ED9C99-94E5-4551-9E81-A0BD74D13F00 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FF608 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616447Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:04:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F1ED9C99-94E5-4551-9E81-A0BD74D13F00 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616446Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:04:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4058881177-1162974437-3181412766-4182388 Account Name: F1ED9C99-94E5-4551-9E81-A0BD74D13F00 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FF55E Privileges: SeImpersonatePrivilege467200125480-921436483760003481616445Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:04:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4058881177-1162974437-3181412766-4182388 Account Name: F1ED9C99-94E5-4551-9E81-A0BD74D13F00 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3FF55E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616444Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:04:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F1ED9C99-94E5-4551-9E81-A0BD74D13F00 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616443Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:04:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-850448303-1078694048-4002744499-2232728627 Account Name: 32B0CFAF-90A0-404B-B308-95EE33BC1485 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E27B2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616442Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:04:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2069023360-1222633076-174117304-2309244381 Account Name: 7B52CA80-E674-48DF-B8D1-600ADD45A489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F6A83 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616441Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:04:05 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2069023360-1222633076-174117304-2309244381 Account Name: 7B52CA80-E674-48DF-B8D1-600ADD45A489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F6A83 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616440Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:04:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2069023360-1222633076-174117304-2309244381 Account Name: 7B52CA80-E674-48DF-B8D1-600ADD45A489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F6A83 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616439Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:04:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7B52CA80-E674-48DF-B8D1-600ADD45A489 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616438Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:04:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-137418871-1132670392-827034289-3267445240 Account Name: 0830D877-2DB8-4383-B18A-4B31F841C1C2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F4418 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616437Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:04:02 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-137418871-1132670392-827034289-3267445240 Account Name: 0830D877-2DB8-4383-B18A-4B31F841C1C2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F4418 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616436Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:04:02 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-137418871-1132670392-827034289-3267445240 Account Name: 0830D877-2DB8-4383-B18A-4B31F841C1C2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3F4418 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616435Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:04:02 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0830D877-2DB8-4383-B18A-4B31F841C1C2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616434Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:04:02 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-137418871-1132670392-827034289-3267445240 Account Name: 0830D877-2DB8-4383-B18A-4B31F841C1C2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3EF557 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616433Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:57 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-137418871-1132670392-827034289-3267445240 Account Name: 0830D877-2DB8-4383-B18A-4B31F841C1C2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3EF557 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616432Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-137418871-1132670392-827034289-3267445240 Account Name: 0830D877-2DB8-4383-B18A-4B31F841C1C2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3EF557 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616431Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0830D877-2DB8-4383-B18A-4B31F841C1C2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616430Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-137418871-1132670392-827034289-3267445240 Account Name: 0830D877-2DB8-4383-B18A-4B31F841C1C2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3EE645 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616429Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:57 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-137418871-1132670392-827034289-3267445240 Account Name: 0830D877-2DB8-4383-B18A-4B31F841C1C2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3EE790 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616428Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-137418871-1132670392-827034289-3267445240 Account Name: 0830D877-2DB8-4383-B18A-4B31F841C1C2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3EE790 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616427Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0830D877-2DB8-4383-B18A-4B31F841C1C2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616426Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-137418871-1132670392-827034289-3267445240 Account Name: 0830D877-2DB8-4383-B18A-4B31F841C1C2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3EE737 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616425Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:57 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-137418871-1132670392-827034289-3267445240 Account Name: 0830D877-2DB8-4383-B18A-4B31F841C1C2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3EE737 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616424Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-137418871-1132670392-827034289-3267445240 Account Name: 0830D877-2DB8-4383-B18A-4B31F841C1C2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3EE737 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616423Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0830D877-2DB8-4383-B18A-4B31F841C1C2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616422Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-137418871-1132670392-827034289-3267445240 Account Name: 0830D877-2DB8-4383-B18A-4B31F841C1C2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3EE6EA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616421Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:56 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-137418871-1132670392-827034289-3267445240 Account Name: 0830D877-2DB8-4383-B18A-4B31F841C1C2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3EE6EA Privileges: SeImpersonatePrivilege467200125480-921436483760003481616420Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-137418871-1132670392-827034289-3267445240 Account Name: 0830D877-2DB8-4383-B18A-4B31F841C1C2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3EE6EA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616419Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0830D877-2DB8-4383-B18A-4B31F841C1C2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616418Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-137418871-1132670392-827034289-3267445240 Account Name: 0830D877-2DB8-4383-B18A-4B31F841C1C2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3EE645 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616417Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-137418871-1132670392-827034289-3267445240 Account Name: 0830D877-2DB8-4383-B18A-4B31F841C1C2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3EE645 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616416Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0830D877-2DB8-4383-B18A-4B31F841C1C2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616415Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2069023360-1222633076-174117304-2309244381 Account Name: 7B52CA80-E674-48DF-B8D1-600ADD45A489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3ED973 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616414Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:56 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2069023360-1222633076-174117304-2309244381 Account Name: 7B52CA80-E674-48DF-B8D1-600ADD45A489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3ED973 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616413Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2069023360-1222633076-174117304-2309244381 Account Name: 7B52CA80-E674-48DF-B8D1-600ADD45A489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3ED973 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616412Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7B52CA80-E674-48DF-B8D1-600ADD45A489 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616411Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2069023360-1222633076-174117304-2309244381 Account Name: 7B52CA80-E674-48DF-B8D1-600ADD45A489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3EC9FE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616410Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:56 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2069023360-1222633076-174117304-2309244381 Account Name: 7B52CA80-E674-48DF-B8D1-600ADD45A489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3ECB45 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616409Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2069023360-1222633076-174117304-2309244381 Account Name: 7B52CA80-E674-48DF-B8D1-600ADD45A489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3ECB45 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616408Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7B52CA80-E674-48DF-B8D1-600ADD45A489 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616407Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2069023360-1222633076-174117304-2309244381 Account Name: 7B52CA80-E674-48DF-B8D1-600ADD45A489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3ECAEC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616406Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:56 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2069023360-1222633076-174117304-2309244381 Account Name: 7B52CA80-E674-48DF-B8D1-600ADD45A489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3ECAEC Privileges: SeImpersonatePrivilege467200125480-921436483760003481616405Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2069023360-1222633076-174117304-2309244381 Account Name: 7B52CA80-E674-48DF-B8D1-600ADD45A489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3ECAEC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616404Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7B52CA80-E674-48DF-B8D1-600ADD45A489 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616403Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2069023360-1222633076-174117304-2309244381 Account Name: 7B52CA80-E674-48DF-B8D1-600ADD45A489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3ECAA3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616402Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:56 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2069023360-1222633076-174117304-2309244381 Account Name: 7B52CA80-E674-48DF-B8D1-600ADD45A489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3ECAA3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616401Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2069023360-1222633076-174117304-2309244381 Account Name: 7B52CA80-E674-48DF-B8D1-600ADD45A489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3ECAA3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616400Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7B52CA80-E674-48DF-B8D1-600ADD45A489 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616399Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2069023360-1222633076-174117304-2309244381 Account Name: 7B52CA80-E674-48DF-B8D1-600ADD45A489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3EC9FE Privileges: SeImpersonatePrivilege467200125480-921436483760003481616398Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:55 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2069023360-1222633076-174117304-2309244381 Account Name: 7B52CA80-E674-48DF-B8D1-600ADD45A489 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3EC9FE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616397Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:55 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7B52CA80-E674-48DF-B8D1-600ADD45A489 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616396Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:55 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2680514850-1228644519-753596590-1875540407 Account Name: 9FC56922-A0A7-493B-AEF8-EA2CB779CA6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D304B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616395Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:53 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-850448303-1078694048-4002744499-2232728627 Account Name: 32B0CFAF-90A0-404B-B308-95EE33BC1485 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E7E6B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616394Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:50 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-850448303-1078694048-4002744499-2232728627 Account Name: 32B0CFAF-90A0-404B-B308-95EE33BC1485 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E7E6B Privileges: SeImpersonatePrivilege467200125480-921436483760003481616393Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-850448303-1078694048-4002744499-2232728627 Account Name: 32B0CFAF-90A0-404B-B308-95EE33BC1485 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E7E6B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616392Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 32B0CFAF-90A0-404B-B308-95EE33BC1485 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616391Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x3E5410 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C30079DC-2A54-3B58-01D5-4EEAC371F87E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58478 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616390Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:46 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x3E5410 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616389Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:46 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-850448303-1078694048-4002744499-2232728627 Account Name: 32B0CFAF-90A0-404B-B308-95EE33BC1485 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E34A2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616388Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:42 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-850448303-1078694048-4002744499-2232728627 Account Name: 32B0CFAF-90A0-404B-B308-95EE33BC1485 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E34A2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616387Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:42 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-850448303-1078694048-4002744499-2232728627 Account Name: 32B0CFAF-90A0-404B-B308-95EE33BC1485 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E34A2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616386Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:42 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 32B0CFAF-90A0-404B-B308-95EE33BC1485 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616385Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:42 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-850448303-1078694048-4002744499-2232728627 Account Name: 32B0CFAF-90A0-404B-B308-95EE33BC1485 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E266B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616384Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:41 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-850448303-1078694048-4002744499-2232728627 Account Name: 32B0CFAF-90A0-404B-B308-95EE33BC1485 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E27B2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616383Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:41 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-850448303-1078694048-4002744499-2232728627 Account Name: 32B0CFAF-90A0-404B-B308-95EE33BC1485 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E27B2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616382Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:41 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 32B0CFAF-90A0-404B-B308-95EE33BC1485 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616381Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:41 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-850448303-1078694048-4002744499-2232728627 Account Name: 32B0CFAF-90A0-404B-B308-95EE33BC1485 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E2759 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616380Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:41 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-850448303-1078694048-4002744499-2232728627 Account Name: 32B0CFAF-90A0-404B-B308-95EE33BC1485 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E2759 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616379Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:41 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-850448303-1078694048-4002744499-2232728627 Account Name: 32B0CFAF-90A0-404B-B308-95EE33BC1485 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E2759 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616378Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:41 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 32B0CFAF-90A0-404B-B308-95EE33BC1485 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616377Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:41 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-850448303-1078694048-4002744499-2232728627 Account Name: 32B0CFAF-90A0-404B-B308-95EE33BC1485 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E2710 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616376Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:41 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-850448303-1078694048-4002744499-2232728627 Account Name: 32B0CFAF-90A0-404B-B308-95EE33BC1485 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E2710 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616375Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:41 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-850448303-1078694048-4002744499-2232728627 Account Name: 32B0CFAF-90A0-404B-B308-95EE33BC1485 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E2710 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616374Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:41 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 32B0CFAF-90A0-404B-B308-95EE33BC1485 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616373Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:41 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-850448303-1078694048-4002744499-2232728627 Account Name: 32B0CFAF-90A0-404B-B308-95EE33BC1485 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E266B Privileges: SeImpersonatePrivilege467200125480-921436483760003481616372Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:41 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-850448303-1078694048-4002744499-2232728627 Account Name: 32B0CFAF-90A0-404B-B308-95EE33BC1485 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3E266B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616371Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:41 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 32B0CFAF-90A0-404B-B308-95EE33BC1485 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616370Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:41 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x3C027A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616369Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1983200408-1130251040-4024938368-3818159446 Account Name: 76353C98-4320-435E-80AF-E7EF567D94E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D13C8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616368Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:12 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2680514850-1228644519-753596590-1875540407 Account Name: 9FC56922-A0A7-493B-AEF8-EA2CB779CA6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3DAA4E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616367Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:09 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2680514850-1228644519-753596590-1875540407 Account Name: 9FC56922-A0A7-493B-AEF8-EA2CB779CA6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3DAA4E Privileges: SeImpersonatePrivilege467200125480-921436483760003481616366Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:09 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2680514850-1228644519-753596590-1875540407 Account Name: 9FC56922-A0A7-493B-AEF8-EA2CB779CA6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3DAA4E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616365Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:09 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9FC56922-A0A7-493B-AEF8-EA2CB779CA6F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616364Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:09 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1983200408-1130251040-4024938368-3818159446 Account Name: 76353C98-4320-435E-80AF-E7EF567D94E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D8296 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616363Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:07 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1983200408-1130251040-4024938368-3818159446 Account Name: 76353C98-4320-435E-80AF-E7EF567D94E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D8296 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616362Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:07 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1983200408-1130251040-4024938368-3818159446 Account Name: 76353C98-4320-435E-80AF-E7EF567D94E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D8296 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616361Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:07 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 76353C98-4320-435E-80AF-E7EF567D94E3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616360Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:07 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2680514850-1228644519-753596590-1875540407 Account Name: 9FC56922-A0A7-493B-AEF8-EA2CB779CA6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D3D4B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616359Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:00 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2680514850-1228644519-753596590-1875540407 Account Name: 9FC56922-A0A7-493B-AEF8-EA2CB779CA6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D3D4B Privileges: SeImpersonatePrivilege467200125480-921436483760003481616358Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:00 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2680514850-1228644519-753596590-1875540407 Account Name: 9FC56922-A0A7-493B-AEF8-EA2CB779CA6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D3D4B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616357Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:00 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9FC56922-A0A7-493B-AEF8-EA2CB779CA6F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616356Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:00 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2680514850-1228644519-753596590-1875540407 Account Name: 9FC56922-A0A7-493B-AEF8-EA2CB779CA6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D2F04 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616355Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:00 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2680514850-1228644519-753596590-1875540407 Account Name: 9FC56922-A0A7-493B-AEF8-EA2CB779CA6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D304B Privileges: SeImpersonatePrivilege467200125480-921436483760003481616354Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:00 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2680514850-1228644519-753596590-1875540407 Account Name: 9FC56922-A0A7-493B-AEF8-EA2CB779CA6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D304B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616353Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:00 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9FC56922-A0A7-493B-AEF8-EA2CB779CA6F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616352Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:00 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2680514850-1228644519-753596590-1875540407 Account Name: 9FC56922-A0A7-493B-AEF8-EA2CB779CA6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D2FF2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616351Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:00 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2680514850-1228644519-753596590-1875540407 Account Name: 9FC56922-A0A7-493B-AEF8-EA2CB779CA6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D2FF2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616350Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:00 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2680514850-1228644519-753596590-1875540407 Account Name: 9FC56922-A0A7-493B-AEF8-EA2CB779CA6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D2FF2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616349Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:00 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9FC56922-A0A7-493B-AEF8-EA2CB779CA6F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616348Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:00 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2680514850-1228644519-753596590-1875540407 Account Name: 9FC56922-A0A7-493B-AEF8-EA2CB779CA6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D2FA9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616347Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:00 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2680514850-1228644519-753596590-1875540407 Account Name: 9FC56922-A0A7-493B-AEF8-EA2CB779CA6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D2FA9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616346Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:00 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2680514850-1228644519-753596590-1875540407 Account Name: 9FC56922-A0A7-493B-AEF8-EA2CB779CA6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D2FA9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616345Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:00 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9FC56922-A0A7-493B-AEF8-EA2CB779CA6F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616344Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:00 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2680514850-1228644519-753596590-1875540407 Account Name: 9FC56922-A0A7-493B-AEF8-EA2CB779CA6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D2F04 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616343Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:00 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2680514850-1228644519-753596590-1875540407 Account Name: 9FC56922-A0A7-493B-AEF8-EA2CB779CA6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D2F04 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616342Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:00 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9FC56922-A0A7-493B-AEF8-EA2CB779CA6F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616341Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:03:00 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1983200408-1130251040-4024938368-3818159446 Account Name: 76353C98-4320-435E-80AF-E7EF567D94E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D20D7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616340Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:02:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1983200408-1130251040-4024938368-3818159446 Account Name: 76353C98-4320-435E-80AF-E7EF567D94E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D20D7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616339Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:02:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1983200408-1130251040-4024938368-3818159446 Account Name: 76353C98-4320-435E-80AF-E7EF567D94E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D20D7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616338Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:02:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 76353C98-4320-435E-80AF-E7EF567D94E3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616337Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:02:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1983200408-1130251040-4024938368-3818159446 Account Name: 76353C98-4320-435E-80AF-E7EF567D94E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D127C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616336Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:02:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1983200408-1130251040-4024938368-3818159446 Account Name: 76353C98-4320-435E-80AF-E7EF567D94E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D13C8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616335Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:02:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1983200408-1130251040-4024938368-3818159446 Account Name: 76353C98-4320-435E-80AF-E7EF567D94E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D13C8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616334Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:02:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 76353C98-4320-435E-80AF-E7EF567D94E3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616333Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:02:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1983200408-1130251040-4024938368-3818159446 Account Name: 76353C98-4320-435E-80AF-E7EF567D94E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D136F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616332Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:02:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1983200408-1130251040-4024938368-3818159446 Account Name: 76353C98-4320-435E-80AF-E7EF567D94E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D136F Privileges: SeImpersonatePrivilege467200125480-921436483760003481616331Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:02:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1983200408-1130251040-4024938368-3818159446 Account Name: 76353C98-4320-435E-80AF-E7EF567D94E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D136F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616330Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:02:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 76353C98-4320-435E-80AF-E7EF567D94E3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616329Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:02:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1983200408-1130251040-4024938368-3818159446 Account Name: 76353C98-4320-435E-80AF-E7EF567D94E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D1326 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616328Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:02:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1983200408-1130251040-4024938368-3818159446 Account Name: 76353C98-4320-435E-80AF-E7EF567D94E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D1326 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616327Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:02:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1983200408-1130251040-4024938368-3818159446 Account Name: 76353C98-4320-435E-80AF-E7EF567D94E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D1326 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616326Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:02:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 76353C98-4320-435E-80AF-E7EF567D94E3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616325Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:02:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1983200408-1130251040-4024938368-3818159446 Account Name: 76353C98-4320-435E-80AF-E7EF567D94E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D127C Privileges: SeImpersonatePrivilege467200125480-921436483760003481616324Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:02:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1983200408-1130251040-4024938368-3818159446 Account Name: 76353C98-4320-435E-80AF-E7EF567D94E3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3D127C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616323Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:02:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 76353C98-4320-435E-80AF-E7EF567D94E3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616322Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:02:58 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2447321748-1167344550-1973165478-2634676451 Account Name: 91DF2A94-43A6-4594-A61D-9C75E3F8099D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3977D9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616321Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1536120157-1325344785-203106221-1873556050 Account Name: 5B8F555D-2811-4EFF-AD27-1B0C5232AC6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A15AF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616320Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:50 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2823655184-1216590351-2889057667-1058983341 Account Name: A84D8F10-B20F-4883-8385-33ACADCD1E3F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B6FA1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616319Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:48 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x3C027A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C30079DC-2A54-3B58-01D5-4EEAC371F87E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58433 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616318Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:45 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x3C027A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616317Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:45 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2823655184-1216590351-2889057667-1058983341 Account Name: A84D8F10-B20F-4883-8385-33ACADCD1E3F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BE792 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616316Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:43 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2823655184-1216590351-2889057667-1058983341 Account Name: A84D8F10-B20F-4883-8385-33ACADCD1E3F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BE792 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616315Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:43 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2823655184-1216590351-2889057667-1058983341 Account Name: A84D8F10-B20F-4883-8385-33ACADCD1E3F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3BE792 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616314Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:43 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A84D8F10-B20F-4883-8385-33ACADCD1E3F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616313Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:43 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1536120157-1325344785-203106221-1873556050 Account Name: 5B8F555D-2811-4EFF-AD27-1B0C5232AC6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B9B11 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616312Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:36 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1536120157-1325344785-203106221-1873556050 Account Name: 5B8F555D-2811-4EFF-AD27-1B0C5232AC6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B9B11 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616311Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:36 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1536120157-1325344785-203106221-1873556050 Account Name: 5B8F555D-2811-4EFF-AD27-1B0C5232AC6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B9B11 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616310Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:36 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5B8F555D-2811-4EFF-AD27-1B0C5232AC6F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616309Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:36 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2823655184-1216590351-2889057667-1058983341 Account Name: A84D8F10-B20F-4883-8385-33ACADCD1E3F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B7D72 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616308Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:35 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2823655184-1216590351-2889057667-1058983341 Account Name: A84D8F10-B20F-4883-8385-33ACADCD1E3F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B7D72 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616307Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2823655184-1216590351-2889057667-1058983341 Account Name: A84D8F10-B20F-4883-8385-33ACADCD1E3F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B7D72 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616306Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A84D8F10-B20F-4883-8385-33ACADCD1E3F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616305Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2823655184-1216590351-2889057667-1058983341 Account Name: A84D8F10-B20F-4883-8385-33ACADCD1E3F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B6E5A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616304Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:34 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2823655184-1216590351-2889057667-1058983341 Account Name: A84D8F10-B20F-4883-8385-33ACADCD1E3F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B6FA1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616303Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2823655184-1216590351-2889057667-1058983341 Account Name: A84D8F10-B20F-4883-8385-33ACADCD1E3F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B6FA1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616302Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A84D8F10-B20F-4883-8385-33ACADCD1E3F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616301Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2823655184-1216590351-2889057667-1058983341 Account Name: A84D8F10-B20F-4883-8385-33ACADCD1E3F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B6F48 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616300Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:34 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2823655184-1216590351-2889057667-1058983341 Account Name: A84D8F10-B20F-4883-8385-33ACADCD1E3F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B6F48 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616299Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2823655184-1216590351-2889057667-1058983341 Account Name: A84D8F10-B20F-4883-8385-33ACADCD1E3F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B6F48 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616298Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A84D8F10-B20F-4883-8385-33ACADCD1E3F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616297Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2823655184-1216590351-2889057667-1058983341 Account Name: A84D8F10-B20F-4883-8385-33ACADCD1E3F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B6EFF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616296Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:34 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2823655184-1216590351-2889057667-1058983341 Account Name: A84D8F10-B20F-4883-8385-33ACADCD1E3F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B6EFF Privileges: SeImpersonatePrivilege467200125480-921436483760003481616295Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2823655184-1216590351-2889057667-1058983341 Account Name: A84D8F10-B20F-4883-8385-33ACADCD1E3F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B6EFF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616294Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A84D8F10-B20F-4883-8385-33ACADCD1E3F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616293Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2823655184-1216590351-2889057667-1058983341 Account Name: A84D8F10-B20F-4883-8385-33ACADCD1E3F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B6E5A Privileges: SeImpersonatePrivilege467200125480-921436483760003481616292Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2823655184-1216590351-2889057667-1058983341 Account Name: A84D8F10-B20F-4883-8385-33ACADCD1E3F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B6E5A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616291Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A84D8F10-B20F-4883-8385-33ACADCD1E3F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616290Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-506118914-1095179609-2328788396-914378042 Account Name: 1E2AC302-1D59-4147-AC7D-CE8A3A4D8036 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x39F019 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616289Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:34 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-506118914-1095179609-2328788396-914378042 Account Name: 1E2AC302-1D59-4147-AC7D-CE8A3A4D8036 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B05C8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616288Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-506118914-1095179609-2328788396-914378042 Account Name: 1E2AC302-1D59-4147-AC7D-CE8A3A4D8036 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B05C8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616287Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:28 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-506118914-1095179609-2328788396-914378042 Account Name: 1E2AC302-1D59-4147-AC7D-CE8A3A4D8036 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3B05C8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616286Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:28 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1E2AC302-1D59-4147-AC7D-CE8A3A4D8036 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616285Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:28 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3340535618-1123476558-902804918-588210293 Account Name: C71C8742-E44E-42F6-B6B5-CF3575600F23 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E1C9D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616284Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:26 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1536120157-1325344785-203106221-1873556050 Account Name: 5B8F555D-2811-4EFF-AD27-1B0C5232AC6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A2B36 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616283Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:22 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1536120157-1325344785-203106221-1873556050 Account Name: 5B8F555D-2811-4EFF-AD27-1B0C5232AC6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A2B36 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616282Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1536120157-1325344785-203106221-1873556050 Account Name: 5B8F555D-2811-4EFF-AD27-1B0C5232AC6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A2B36 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616281Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5B8F555D-2811-4EFF-AD27-1B0C5232AC6F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616280Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1536120157-1325344785-203106221-1873556050 Account Name: 5B8F555D-2811-4EFF-AD27-1B0C5232AC6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A10A0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616279Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:22 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1536120157-1325344785-203106221-1873556050 Account Name: 5B8F555D-2811-4EFF-AD27-1B0C5232AC6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A15AF Privileges: SeImpersonatePrivilege467200125480-921436483760003481616278Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1536120157-1325344785-203106221-1873556050 Account Name: 5B8F555D-2811-4EFF-AD27-1B0C5232AC6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A15AF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616277Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5B8F555D-2811-4EFF-AD27-1B0C5232AC6F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616276Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1536120157-1325344785-203106221-1873556050 Account Name: 5B8F555D-2811-4EFF-AD27-1B0C5232AC6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A1311 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616275Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:22 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1536120157-1325344785-203106221-1873556050 Account Name: 5B8F555D-2811-4EFF-AD27-1B0C5232AC6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A1311 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616274Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1536120157-1325344785-203106221-1873556050 Account Name: 5B8F555D-2811-4EFF-AD27-1B0C5232AC6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A1311 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616273Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5B8F555D-2811-4EFF-AD27-1B0C5232AC6F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616272Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1536120157-1325344785-203106221-1873556050 Account Name: 5B8F555D-2811-4EFF-AD27-1B0C5232AC6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A11DD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616271Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:22 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1536120157-1325344785-203106221-1873556050 Account Name: 5B8F555D-2811-4EFF-AD27-1B0C5232AC6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A11DD Privileges: SeImpersonatePrivilege467200125480-921436483760003481616270Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1536120157-1325344785-203106221-1873556050 Account Name: 5B8F555D-2811-4EFF-AD27-1B0C5232AC6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A11DD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616269Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5B8F555D-2811-4EFF-AD27-1B0C5232AC6F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616268Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1536120157-1325344785-203106221-1873556050 Account Name: 5B8F555D-2811-4EFF-AD27-1B0C5232AC6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A10A0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616267Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:21 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1536120157-1325344785-203106221-1873556050 Account Name: 5B8F555D-2811-4EFF-AD27-1B0C5232AC6F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3A10A0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616266Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:21 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5B8F555D-2811-4EFF-AD27-1B0C5232AC6F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616265Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:21 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-506118914-1095179609-2328788396-914378042 Account Name: 1E2AC302-1D59-4147-AC7D-CE8A3A4D8036 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x39FE03 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616264Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:19 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-506118914-1095179609-2328788396-914378042 Account Name: 1E2AC302-1D59-4147-AC7D-CE8A3A4D8036 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x39FE03 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616263Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-506118914-1095179609-2328788396-914378042 Account Name: 1E2AC302-1D59-4147-AC7D-CE8A3A4D8036 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x39FE03 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616262Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1E2AC302-1D59-4147-AC7D-CE8A3A4D8036 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616261Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-506118914-1095179609-2328788396-914378042 Account Name: 1E2AC302-1D59-4147-AC7D-CE8A3A4D8036 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x39EDC2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616260Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:18 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-506118914-1095179609-2328788396-914378042 Account Name: 1E2AC302-1D59-4147-AC7D-CE8A3A4D8036 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x39F019 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616259Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:18 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-506118914-1095179609-2328788396-914378042 Account Name: 1E2AC302-1D59-4147-AC7D-CE8A3A4D8036 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x39F019 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616258Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:18 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1E2AC302-1D59-4147-AC7D-CE8A3A4D8036 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616257Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:18 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-506118914-1095179609-2328788396-914378042 Account Name: 1E2AC302-1D59-4147-AC7D-CE8A3A4D8036 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x39EFC0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616256Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:18 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-506118914-1095179609-2328788396-914378042 Account Name: 1E2AC302-1D59-4147-AC7D-CE8A3A4D8036 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x39EFC0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616255Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:18 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-506118914-1095179609-2328788396-914378042 Account Name: 1E2AC302-1D59-4147-AC7D-CE8A3A4D8036 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x39EFC0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616254Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:18 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1E2AC302-1D59-4147-AC7D-CE8A3A4D8036 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616253Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:18 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-506118914-1095179609-2328788396-914378042 Account Name: 1E2AC302-1D59-4147-AC7D-CE8A3A4D8036 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x39EEF8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616252Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:18 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-506118914-1095179609-2328788396-914378042 Account Name: 1E2AC302-1D59-4147-AC7D-CE8A3A4D8036 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x39EEF8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616251Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:18 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-506118914-1095179609-2328788396-914378042 Account Name: 1E2AC302-1D59-4147-AC7D-CE8A3A4D8036 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x39EEF8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616250Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:18 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1E2AC302-1D59-4147-AC7D-CE8A3A4D8036 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616249Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:18 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-506118914-1095179609-2328788396-914378042 Account Name: 1E2AC302-1D59-4147-AC7D-CE8A3A4D8036 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x39EDC2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616248Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:18 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-506118914-1095179609-2328788396-914378042 Account Name: 1E2AC302-1D59-4147-AC7D-CE8A3A4D8036 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x39EDC2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616247Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:18 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1E2AC302-1D59-4147-AC7D-CE8A3A4D8036 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616246Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:18 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2447321748-1167344550-1973165478-2634676451 Account Name: 91DF2A94-43A6-4594-A61D-9C75E3F8099D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x39D0F8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616245Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:12 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2447321748-1167344550-1973165478-2634676451 Account Name: 91DF2A94-43A6-4594-A61D-9C75E3F8099D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x39D0F8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616244Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:12 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2447321748-1167344550-1973165478-2634676451 Account Name: 91DF2A94-43A6-4594-A61D-9C75E3F8099D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x39D0F8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616243Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:12 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 91DF2A94-43A6-4594-A61D-9C75E3F8099D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616242Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:12 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2447321748-1167344550-1973165478-2634676451 Account Name: 91DF2A94-43A6-4594-A61D-9C75E3F8099D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3985E1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616241Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:04 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2447321748-1167344550-1973165478-2634676451 Account Name: 91DF2A94-43A6-4594-A61D-9C75E3F8099D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3985E1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616240Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:04 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2447321748-1167344550-1973165478-2634676451 Account Name: 91DF2A94-43A6-4594-A61D-9C75E3F8099D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3985E1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616239Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:04 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 91DF2A94-43A6-4594-A61D-9C75E3F8099D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616238Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:04 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2447321748-1167344550-1973165478-2634676451 Account Name: 91DF2A94-43A6-4594-A61D-9C75E3F8099D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x397690 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616237Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:03 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2447321748-1167344550-1973165478-2634676451 Account Name: 91DF2A94-43A6-4594-A61D-9C75E3F8099D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3977D9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616236Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2447321748-1167344550-1973165478-2634676451 Account Name: 91DF2A94-43A6-4594-A61D-9C75E3F8099D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3977D9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616235Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 91DF2A94-43A6-4594-A61D-9C75E3F8099D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616234Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2447321748-1167344550-1973165478-2634676451 Account Name: 91DF2A94-43A6-4594-A61D-9C75E3F8099D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x397780 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616233Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:03 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2447321748-1167344550-1973165478-2634676451 Account Name: 91DF2A94-43A6-4594-A61D-9C75E3F8099D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x397780 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616232Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2447321748-1167344550-1973165478-2634676451 Account Name: 91DF2A94-43A6-4594-A61D-9C75E3F8099D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x397780 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616231Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 91DF2A94-43A6-4594-A61D-9C75E3F8099D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616230Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2447321748-1167344550-1973165478-2634676451 Account Name: 91DF2A94-43A6-4594-A61D-9C75E3F8099D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x397737 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616229Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:03 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2447321748-1167344550-1973165478-2634676451 Account Name: 91DF2A94-43A6-4594-A61D-9C75E3F8099D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x397737 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616228Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2447321748-1167344550-1973165478-2634676451 Account Name: 91DF2A94-43A6-4594-A61D-9C75E3F8099D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x397737 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616227Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 91DF2A94-43A6-4594-A61D-9C75E3F8099D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616226Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2447321748-1167344550-1973165478-2634676451 Account Name: 91DF2A94-43A6-4594-A61D-9C75E3F8099D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x397690 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616225Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2447321748-1167344550-1973165478-2634676451 Account Name: 91DF2A94-43A6-4594-A61D-9C75E3F8099D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x397690 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616224Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 91DF2A94-43A6-4594-A61D-9C75E3F8099D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616223Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:01:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1907281675-1315638670-4047370155-4033622193 Account Name: 71AECF0B-0D8E-4E6B-ABF7-3DF1B1306CF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28A828 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616222Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:00:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1653634786-1087951015-4011636097-1331441428 Account Name: 629076E2-D0A7-40D8-81B5-1CEF142F5C4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x383655 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616221Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:00:25 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x37BAE2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616220Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:00:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x367BE8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616219Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:00:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1653634786-1087951015-4011636097-1331441428 Account Name: 629076E2-D0A7-40D8-81B5-1CEF142F5C4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38D147 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616218Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:00:22 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1653634786-1087951015-4011636097-1331441428 Account Name: 629076E2-D0A7-40D8-81B5-1CEF142F5C4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38D147 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616217Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:00:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1653634786-1087951015-4011636097-1331441428 Account Name: 629076E2-D0A7-40D8-81B5-1CEF142F5C4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38D147 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616216Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:00:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 629076E2-D0A7-40D8-81B5-1CEF142F5C4F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616215Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:00:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1306240855-1296046643-8667577-3536320890 Account Name: 4DDBA757-1A33-4D40-B941-84007AF9C7D2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x374EC9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616214Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:00:18 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1306240855-1296046643-8667577-3536320890 Account Name: 4DDBA757-1A33-4D40-B941-84007AF9C7D2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38679D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616213Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:00:16 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1306240855-1296046643-8667577-3536320890 Account Name: 4DDBA757-1A33-4D40-B941-84007AF9C7D2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38679D Privileges: SeImpersonatePrivilege467200125480-921436483760003481616212Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:00:16 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1306240855-1296046643-8667577-3536320890 Account Name: 4DDBA757-1A33-4D40-B941-84007AF9C7D2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x38679D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616211Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:00:16 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4DDBA757-1A33-4D40-B941-84007AF9C7D2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616210Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:00:16 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2330759192-1165489960-1015746469-63948690 Account Name: 8AEC9018-F728-4577-A50F-8B3C92C7CF03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32F38B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616209Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:00:16 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1653634786-1087951015-4011636097-1331441428 Account Name: 629076E2-D0A7-40D8-81B5-1CEF142F5C4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3844D1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616208Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:00:15 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1653634786-1087951015-4011636097-1331441428 Account Name: 629076E2-D0A7-40D8-81B5-1CEF142F5C4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3844D1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616207Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:00:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1653634786-1087951015-4011636097-1331441428 Account Name: 629076E2-D0A7-40D8-81B5-1CEF142F5C4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3844D1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616206Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:00:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 629076E2-D0A7-40D8-81B5-1CEF142F5C4F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616205Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:00:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1653634786-1087951015-4011636097-1331441428 Account Name: 629076E2-D0A7-40D8-81B5-1CEF142F5C4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3834DE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616204Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:00:15 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1653634786-1087951015-4011636097-1331441428 Account Name: 629076E2-D0A7-40D8-81B5-1CEF142F5C4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x383655 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616203Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:00:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1653634786-1087951015-4011636097-1331441428 Account Name: 629076E2-D0A7-40D8-81B5-1CEF142F5C4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x383655 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616202Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:00:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 629076E2-D0A7-40D8-81B5-1CEF142F5C4F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616201Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:00:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1653634786-1087951015-4011636097-1331441428 Account Name: 629076E2-D0A7-40D8-81B5-1CEF142F5C4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3835F8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616200Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:00:15 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1653634786-1087951015-4011636097-1331441428 Account Name: 629076E2-D0A7-40D8-81B5-1CEF142F5C4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3835F8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616199Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:00:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1653634786-1087951015-4011636097-1331441428 Account Name: 629076E2-D0A7-40D8-81B5-1CEF142F5C4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3835F8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616198Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:00:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 629076E2-D0A7-40D8-81B5-1CEF142F5C4F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616197Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:00:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1653634786-1087951015-4011636097-1331441428 Account Name: 629076E2-D0A7-40D8-81B5-1CEF142F5C4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3835AF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616196Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 9:00:15 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1653634786-1087951015-4011636097-1331441428 Account Name: 629076E2-D0A7-40D8-81B5-1CEF142F5C4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3835AF Privileges: SeImpersonatePrivilege467200125480-921436483760003481616195Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:00:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1653634786-1087951015-4011636097-1331441428 Account Name: 629076E2-D0A7-40D8-81B5-1CEF142F5C4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3835AF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616194Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:00:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 629076E2-D0A7-40D8-81B5-1CEF142F5C4F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616193Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:00:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1653634786-1087951015-4011636097-1331441428 Account Name: 629076E2-D0A7-40D8-81B5-1CEF142F5C4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3834DE Privileges: SeImpersonatePrivilege467200125480-921436483760003481616192Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:00:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1653634786-1087951015-4011636097-1331441428 Account Name: 629076E2-D0A7-40D8-81B5-1CEF142F5C4F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3834DE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616191Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:00:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 629076E2-D0A7-40D8-81B5-1CEF142F5C4F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616190Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:00:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2533433503-1293733688-1458391221-540911923 Account Name: 9701209F-CF38-4D1C-B548-ED5633A93D20 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2A9838 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616189Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:00:06 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2533433503-1293733688-1458391221-540911923 Account Name: 9701209F-CF38-4D1C-B548-ED5633A93D20 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29F90F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616188Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 9:00:06 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x3688BB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616187Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x36888E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616186Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x3688A6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616185Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x368558 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616184Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x368527 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616183Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x36853E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616182Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x368350 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616181Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x368335 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616180Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x36831E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616179Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x367D44 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616178Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x367D02 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616177Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x3688ED Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616176Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x367C3B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616175Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x368588 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616174Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x367C26 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616173Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x36838A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616172Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x367C0F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616171Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x367F7E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616170Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x367BFE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616169Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x367E79 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616168Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x367C53 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616167Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x37BAE2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C30079DC-2A54-3B58-01D5-4EEAC371F87E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58242 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616166Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:44 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x37BAE2 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616165Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:44 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1306240855-1296046643-8667577-3536320890 Account Name: 4DDBA757-1A33-4D40-B941-84007AF9C7D2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37A413 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616164Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:43 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1306240855-1296046643-8667577-3536320890 Account Name: 4DDBA757-1A33-4D40-B941-84007AF9C7D2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37A413 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616163Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:43 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1306240855-1296046643-8667577-3536320890 Account Name: 4DDBA757-1A33-4D40-B941-84007AF9C7D2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x37A413 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616162Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:43 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4DDBA757-1A33-4D40-B941-84007AF9C7D2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616161Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:43 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1306240855-1296046643-8667577-3536320890 Account Name: 4DDBA757-1A33-4D40-B941-84007AF9C7D2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x375D03 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616160Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:36 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1306240855-1296046643-8667577-3536320890 Account Name: 4DDBA757-1A33-4D40-B941-84007AF9C7D2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x375D03 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616159Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:36 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1306240855-1296046643-8667577-3536320890 Account Name: 4DDBA757-1A33-4D40-B941-84007AF9C7D2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x375D03 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616158Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:36 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4DDBA757-1A33-4D40-B941-84007AF9C7D2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616157Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:36 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1306240855-1296046643-8667577-3536320890 Account Name: 4DDBA757-1A33-4D40-B941-84007AF9C7D2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x374CFF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616156Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:36 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1306240855-1296046643-8667577-3536320890 Account Name: 4DDBA757-1A33-4D40-B941-84007AF9C7D2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x374EC9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616155Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1306240855-1296046643-8667577-3536320890 Account Name: 4DDBA757-1A33-4D40-B941-84007AF9C7D2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x374EC9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616154Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4DDBA757-1A33-4D40-B941-84007AF9C7D2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616153Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1306240855-1296046643-8667577-3536320890 Account Name: 4DDBA757-1A33-4D40-B941-84007AF9C7D2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x374E70 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616152Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:35 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1306240855-1296046643-8667577-3536320890 Account Name: 4DDBA757-1A33-4D40-B941-84007AF9C7D2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x374E70 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616151Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1306240855-1296046643-8667577-3536320890 Account Name: 4DDBA757-1A33-4D40-B941-84007AF9C7D2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x374E70 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616150Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4DDBA757-1A33-4D40-B941-84007AF9C7D2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616149Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1306240855-1296046643-8667577-3536320890 Account Name: 4DDBA757-1A33-4D40-B941-84007AF9C7D2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x374E27 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616148Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:35 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1306240855-1296046643-8667577-3536320890 Account Name: 4DDBA757-1A33-4D40-B941-84007AF9C7D2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x374E27 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616147Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1306240855-1296046643-8667577-3536320890 Account Name: 4DDBA757-1A33-4D40-B941-84007AF9C7D2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x374E27 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616146Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4DDBA757-1A33-4D40-B941-84007AF9C7D2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616145Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1306240855-1296046643-8667577-3536320890 Account Name: 4DDBA757-1A33-4D40-B941-84007AF9C7D2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x374CFF Privileges: SeImpersonatePrivilege467200125480-921436483760003481616144Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1306240855-1296046643-8667577-3536320890 Account Name: 4DDBA757-1A33-4D40-B941-84007AF9C7D2 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x374CFF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616143Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4DDBA757-1A33-4D40-B941-84007AF9C7D2 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616142Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-559650369-1201647357-2413149828-2969826063 Account Name: 215B9641-AEFD-479F-84BE-D58F0FF303B1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x362FD0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616141Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:29 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2710964739-1149891144-3941713084-3182953983 Account Name: A1960A03-F248-4489-BCC4-F1EAFF05B8BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33BAC4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616140Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2710964739-1149891144-3941713084-3182953983 Account Name: A1960A03-F248-4489-BCC4-F1EAFF05B8BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36E210 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616139Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2710964739-1149891144-3941713084-3182953983 Account Name: A1960A03-F248-4489-BCC4-F1EAFF05B8BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36E210 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616138Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2710964739-1149891144-3941713084-3182953983 Account Name: A1960A03-F248-4489-BCC4-F1EAFF05B8BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36E210 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616137Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A1960A03-F248-4489-BCC4-F1EAFF05B8BD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616136Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-559650369-1201647357-2413149828-2969826063 Account Name: 215B9641-AEFD-479F-84BE-D58F0FF303B1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36C5D2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616135Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:23 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-559650369-1201647357-2413149828-2969826063 Account Name: 215B9641-AEFD-479F-84BE-D58F0FF303B1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36C5D2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616134Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:23 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-559650369-1201647357-2413149828-2969826063 Account Name: 215B9641-AEFD-479F-84BE-D58F0FF303B1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x36C5D2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616133Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:23 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 215B9641-AEFD-479F-84BE-D58F0FF303B1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616132Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:23 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x3688ED Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58244 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616131Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:18 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x3688ED Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616130Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:18 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x3688BB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58243 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616129Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:18 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x3688BB Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616128Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:18 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x3688A6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58243 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616127Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:18 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x3688A6 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616126Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:18 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x36888E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58243 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616125Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:18 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x36888E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616124Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:18 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x368588 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58244 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616123Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:18 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x368588 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616122Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:18 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x368558 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58243 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616121Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:18 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x368558 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616120Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:18 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x36853E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58243 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616119Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:18 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x36853E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616118Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:18 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x368527 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58243 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616117Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:18 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x368527 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616116Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:18 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x36838A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58244 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616115Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:18 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x36838A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616114Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:18 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x368350 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58243 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616113Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:18 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x368350 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616112Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:18 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x368335 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58243 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616111Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:18 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x368335 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616110Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:18 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x36831E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58243 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616109Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:18 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x36831E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616108Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:18 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x367F7E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58244 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616107Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x367F7E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616106Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x367E79 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58244 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616105Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x367E79 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616104Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x367D44 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58243 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616103Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x367D44 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616102Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x367D02 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58243 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616101Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x367D02 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616100Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x367C53 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58244 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616099Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x367C53 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616098Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x367C3B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58243 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616097Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x367C3B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616096Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x367C26 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58243 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616095Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x367C26 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616094Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x367C0F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58243 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616093Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x367C0F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616092Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x367BFE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58243 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616091Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x367BFE Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616090Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x367BE8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58242 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616089Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x367BE8 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616088Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-559650369-1201647357-2413149828-2969826063 Account Name: 215B9641-AEFD-479F-84BE-D58F0FF303B1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x364F2E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616087Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:15 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-559650369-1201647357-2413149828-2969826063 Account Name: 215B9641-AEFD-479F-84BE-D58F0FF303B1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x364F2E Privileges: SeImpersonatePrivilege467200125480-921436483760003481616086Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-559650369-1201647357-2413149828-2969826063 Account Name: 215B9641-AEFD-479F-84BE-D58F0FF303B1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x364F2E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616085Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 215B9641-AEFD-479F-84BE-D58F0FF303B1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616084Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-559650369-1201647357-2413149828-2969826063 Account Name: 215B9641-AEFD-479F-84BE-D58F0FF303B1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3628DA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616083Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-559650369-1201647357-2413149828-2969826063 Account Name: 215B9641-AEFD-479F-84BE-D58F0FF303B1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x362FD0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616082Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-559650369-1201647357-2413149828-2969826063 Account Name: 215B9641-AEFD-479F-84BE-D58F0FF303B1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x362FD0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616081Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 215B9641-AEFD-479F-84BE-D58F0FF303B1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616080Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-559650369-1201647357-2413149828-2969826063 Account Name: 215B9641-AEFD-479F-84BE-D58F0FF303B1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x362CD1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616079Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-559650369-1201647357-2413149828-2969826063 Account Name: 215B9641-AEFD-479F-84BE-D58F0FF303B1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x362CD1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616078Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-559650369-1201647357-2413149828-2969826063 Account Name: 215B9641-AEFD-479F-84BE-D58F0FF303B1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x362CD1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616077Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 215B9641-AEFD-479F-84BE-D58F0FF303B1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616076Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-559650369-1201647357-2413149828-2969826063 Account Name: 215B9641-AEFD-479F-84BE-D58F0FF303B1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x362A07 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616075Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-559650369-1201647357-2413149828-2969826063 Account Name: 215B9641-AEFD-479F-84BE-D58F0FF303B1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x362A07 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616074Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-559650369-1201647357-2413149828-2969826063 Account Name: 215B9641-AEFD-479F-84BE-D58F0FF303B1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x362A07 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616073Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 215B9641-AEFD-479F-84BE-D58F0FF303B1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616072Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-559650369-1201647357-2413149828-2969826063 Account Name: 215B9641-AEFD-479F-84BE-D58F0FF303B1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3628DA Privileges: SeImpersonatePrivilege467200125480-921436483760003481616071Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-559650369-1201647357-2413149828-2969826063 Account Name: 215B9641-AEFD-479F-84BE-D58F0FF303B1 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3628DA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616070Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 215B9641-AEFD-479F-84BE-D58F0FF303B1 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616069Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1905566800-1323470282-765787526-3733731405 Account Name: 7194A450-8DCA-4EE2-86FD-A42D4D388CDE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EB7FA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616068Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:12 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x34C2B3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616067Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:10 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1905566800-1323470282-765787526-3733731405 Account Name: 7194A450-8DCA-4EE2-86FD-A42D4D388CDE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35E191 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616066Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:09 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1905566800-1323470282-765787526-3733731405 Account Name: 7194A450-8DCA-4EE2-86FD-A42D4D388CDE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35E191 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616065Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:09 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1905566800-1323470282-765787526-3733731405 Account Name: 7194A450-8DCA-4EE2-86FD-A42D4D388CDE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x35E191 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616064Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:09 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7194A450-8DCA-4EE2-86FD-A42D4D388CDE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616063Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:59:09 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2956008862-1245455386-3197738428-4103338632 Account Name: B0311D9E-241A-4A3C-BC9D-99BE88FA93F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31B07D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616062Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:59 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x34C2B3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {09690AB9-87DA-CB73-BD5E-2935EA1F4C7A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58213 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616061Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:59 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x34C2B3 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481616060Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:59 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2710964739-1149891144-3941713084-3182953983 Account Name: A1960A03-F248-4489-BCC4-F1EAFF05B8BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3476BD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616059Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:55 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2710964739-1149891144-3941713084-3182953983 Account Name: A1960A03-F248-4489-BCC4-F1EAFF05B8BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3476BD Privileges: SeImpersonatePrivilege467200125480-921436483760003481616058Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:55 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2710964739-1149891144-3941713084-3182953983 Account Name: A1960A03-F248-4489-BCC4-F1EAFF05B8BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3476BD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616057Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:55 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A1960A03-F248-4489-BCC4-F1EAFF05B8BD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616056Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:55 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2F24CE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616055Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2E1082 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616054Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2710964739-1149891144-3941713084-3182953983 Account Name: A1960A03-F248-4489-BCC4-F1EAFF05B8BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3402D9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616053Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:50 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2710964739-1149891144-3941713084-3182953983 Account Name: A1960A03-F248-4489-BCC4-F1EAFF05B8BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3402D9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616052Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2710964739-1149891144-3941713084-3182953983 Account Name: A1960A03-F248-4489-BCC4-F1EAFF05B8BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3402D9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616051Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A1960A03-F248-4489-BCC4-F1EAFF05B8BD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616050Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2710964739-1149891144-3941713084-3182953983 Account Name: A1960A03-F248-4489-BCC4-F1EAFF05B8BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33B969 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616049Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:44 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2710964739-1149891144-3941713084-3182953983 Account Name: A1960A03-F248-4489-BCC4-F1EAFF05B8BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33BAC4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616048Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:44 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2710964739-1149891144-3941713084-3182953983 Account Name: A1960A03-F248-4489-BCC4-F1EAFF05B8BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33BAC4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616047Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:44 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A1960A03-F248-4489-BCC4-F1EAFF05B8BD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616046Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:44 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2710964739-1149891144-3941713084-3182953983 Account Name: A1960A03-F248-4489-BCC4-F1EAFF05B8BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33BA6B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616045Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:44 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2710964739-1149891144-3941713084-3182953983 Account Name: A1960A03-F248-4489-BCC4-F1EAFF05B8BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33BA6B Privileges: SeImpersonatePrivilege467200125480-921436483760003481616044Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:44 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2710964739-1149891144-3941713084-3182953983 Account Name: A1960A03-F248-4489-BCC4-F1EAFF05B8BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33BA6B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616043Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:44 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A1960A03-F248-4489-BCC4-F1EAFF05B8BD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616042Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:44 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2710964739-1149891144-3941713084-3182953983 Account Name: A1960A03-F248-4489-BCC4-F1EAFF05B8BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33BA21 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616041Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:44 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2710964739-1149891144-3941713084-3182953983 Account Name: A1960A03-F248-4489-BCC4-F1EAFF05B8BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33BA21 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616040Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:44 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2710964739-1149891144-3941713084-3182953983 Account Name: A1960A03-F248-4489-BCC4-F1EAFF05B8BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33BA21 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616039Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:44 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A1960A03-F248-4489-BCC4-F1EAFF05B8BD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616038Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:44 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2710964739-1149891144-3941713084-3182953983 Account Name: A1960A03-F248-4489-BCC4-F1EAFF05B8BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33B969 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616037Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:44 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2710964739-1149891144-3941713084-3182953983 Account Name: A1960A03-F248-4489-BCC4-F1EAFF05B8BD Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33B969 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616036Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:44 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A1960A03-F248-4489-BCC4-F1EAFF05B8BD Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616035Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:44 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2330759192-1165489960-1015746469-63948690 Account Name: 8AEC9018-F728-4577-A50F-8B3C92C7CF03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x337646 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616034Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:39 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2330759192-1165489960-1015746469-63948690 Account Name: 8AEC9018-F728-4577-A50F-8B3C92C7CF03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x337646 Privileges: SeImpersonatePrivilege467200125480-921436483760003481616033Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:39 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2330759192-1165489960-1015746469-63948690 Account Name: 8AEC9018-F728-4577-A50F-8B3C92C7CF03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x337646 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616032Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:39 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8AEC9018-F728-4577-A50F-8B3C92C7CF03 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616031Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:39 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2330759192-1165489960-1015746469-63948690 Account Name: 8AEC9018-F728-4577-A50F-8B3C92C7CF03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33076E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616030Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:34 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2330759192-1165489960-1015746469-63948690 Account Name: 8AEC9018-F728-4577-A50F-8B3C92C7CF03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33076E Privileges: SeImpersonatePrivilege467200125480-921436483760003481616029Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2330759192-1165489960-1015746469-63948690 Account Name: 8AEC9018-F728-4577-A50F-8B3C92C7CF03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x33076E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616028Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8AEC9018-F728-4577-A50F-8B3C92C7CF03 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616027Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2330759192-1165489960-1015746469-63948690 Account Name: 8AEC9018-F728-4577-A50F-8B3C92C7CF03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32F12E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616026Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:34 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2330759192-1165489960-1015746469-63948690 Account Name: 8AEC9018-F728-4577-A50F-8B3C92C7CF03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32F38B Privileges: SeImpersonatePrivilege467200125480-921436483760003481616025Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:33 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2330759192-1165489960-1015746469-63948690 Account Name: 8AEC9018-F728-4577-A50F-8B3C92C7CF03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32F38B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616024Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:33 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8AEC9018-F728-4577-A50F-8B3C92C7CF03 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616023Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:33 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2330759192-1165489960-1015746469-63948690 Account Name: 8AEC9018-F728-4577-A50F-8B3C92C7CF03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32F2DA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616022Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:33 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2330759192-1165489960-1015746469-63948690 Account Name: 8AEC9018-F728-4577-A50F-8B3C92C7CF03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32F2DA Privileges: SeImpersonatePrivilege467200125480-921436483760003481616021Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:33 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2330759192-1165489960-1015746469-63948690 Account Name: 8AEC9018-F728-4577-A50F-8B3C92C7CF03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32F2DA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616020Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:33 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8AEC9018-F728-4577-A50F-8B3C92C7CF03 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616019Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:33 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2330759192-1165489960-1015746469-63948690 Account Name: 8AEC9018-F728-4577-A50F-8B3C92C7CF03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32F23F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616018Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:33 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2330759192-1165489960-1015746469-63948690 Account Name: 8AEC9018-F728-4577-A50F-8B3C92C7CF03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32F23F Privileges: SeImpersonatePrivilege467200125480-921436483760003481616017Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:33 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2330759192-1165489960-1015746469-63948690 Account Name: 8AEC9018-F728-4577-A50F-8B3C92C7CF03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32F23F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616016Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:33 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8AEC9018-F728-4577-A50F-8B3C92C7CF03 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616015Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:33 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2330759192-1165489960-1015746469-63948690 Account Name: 8AEC9018-F728-4577-A50F-8B3C92C7CF03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32F12E Privileges: SeImpersonatePrivilege467200125480-921436483760003481616014Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:33 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2330759192-1165489960-1015746469-63948690 Account Name: 8AEC9018-F728-4577-A50F-8B3C92C7CF03 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32F12E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481616013Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:33 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8AEC9018-F728-4577-A50F-8B3C92C7CF03 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481616012Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:33 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2E1CB3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616011Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2E1C80 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616010Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2E1C2E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616009Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2E1968 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616008Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2E1947 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616007Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2E191E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616006Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2E170D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616005Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2E16F8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616004Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2E16E1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616003Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2E11D8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616002Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2E119A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616001Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2E10D5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481616000Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2E10C0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615999Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2E1CD9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615998Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2E1A14 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615997Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2E10A9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615996Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2E1739 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615995Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2E1098 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615994Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2E1533 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615993Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2E145A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615992Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2E12FA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615991Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2E10ED Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615990Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2956008862-1245455386-3197738428-4103338632 Account Name: B0311D9E-241A-4A3C-BC9D-99BE88FA93F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32A7AC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615989Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2956008862-1245455386-3197738428-4103338632 Account Name: B0311D9E-241A-4A3C-BC9D-99BE88FA93F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32A7AC Privileges: SeImpersonatePrivilege467200125480-921436483760003481615988Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2956008862-1245455386-3197738428-4103338632 Account Name: B0311D9E-241A-4A3C-BC9D-99BE88FA93F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32A7AC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615987Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B0311D9E-241A-4A3C-BC9D-99BE88FA93F4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615986Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1258100703-1295699297-3600754349-4109539616 Account Name: 4AFD17DF-CD61-4D3A-AD26-9FD62099F2F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3188E1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615985Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:23 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1258100703-1295699297-3600754349-4109539616 Account Name: 4AFD17DF-CD61-4D3A-AD26-9FD62099F2F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32176D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615984Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:20 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1258100703-1295699297-3600754349-4109539616 Account Name: 4AFD17DF-CD61-4D3A-AD26-9FD62099F2F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32176D Privileges: SeImpersonatePrivilege467200125480-921436483760003481615983Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:20 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1258100703-1295699297-3600754349-4109539616 Account Name: 4AFD17DF-CD61-4D3A-AD26-9FD62099F2F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x32176D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615982Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:20 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4AFD17DF-CD61-4D3A-AD26-9FD62099F2F4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615981Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:20 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2956008862-1245455386-3197738428-4103338632 Account Name: B0311D9E-241A-4A3C-BC9D-99BE88FA93F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31C98B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615980Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:17 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2956008862-1245455386-3197738428-4103338632 Account Name: B0311D9E-241A-4A3C-BC9D-99BE88FA93F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31C98B Privileges: SeImpersonatePrivilege467200125480-921436483760003481615979Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2956008862-1245455386-3197738428-4103338632 Account Name: B0311D9E-241A-4A3C-BC9D-99BE88FA93F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31C98B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615978Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B0311D9E-241A-4A3C-BC9D-99BE88FA93F4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615977Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2956008862-1245455386-3197738428-4103338632 Account Name: B0311D9E-241A-4A3C-BC9D-99BE88FA93F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31AF36 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615976Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:17 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2956008862-1245455386-3197738428-4103338632 Account Name: B0311D9E-241A-4A3C-BC9D-99BE88FA93F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31B07D Privileges: SeImpersonatePrivilege467200125480-921436483760003481615975Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2956008862-1245455386-3197738428-4103338632 Account Name: B0311D9E-241A-4A3C-BC9D-99BE88FA93F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31B07D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615974Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B0311D9E-241A-4A3C-BC9D-99BE88FA93F4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615973Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2956008862-1245455386-3197738428-4103338632 Account Name: B0311D9E-241A-4A3C-BC9D-99BE88FA93F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31B024 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615972Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:17 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2956008862-1245455386-3197738428-4103338632 Account Name: B0311D9E-241A-4A3C-BC9D-99BE88FA93F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31B024 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615971Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2956008862-1245455386-3197738428-4103338632 Account Name: B0311D9E-241A-4A3C-BC9D-99BE88FA93F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31B024 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615970Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B0311D9E-241A-4A3C-BC9D-99BE88FA93F4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615969Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2956008862-1245455386-3197738428-4103338632 Account Name: B0311D9E-241A-4A3C-BC9D-99BE88FA93F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31AFDB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615968Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:17 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2956008862-1245455386-3197738428-4103338632 Account Name: B0311D9E-241A-4A3C-BC9D-99BE88FA93F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31AFDB Privileges: SeImpersonatePrivilege467200125480-921436483760003481615967Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2956008862-1245455386-3197738428-4103338632 Account Name: B0311D9E-241A-4A3C-BC9D-99BE88FA93F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31AFDB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615966Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B0311D9E-241A-4A3C-BC9D-99BE88FA93F4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615965Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2956008862-1245455386-3197738428-4103338632 Account Name: B0311D9E-241A-4A3C-BC9D-99BE88FA93F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31AF36 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615964Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2956008862-1245455386-3197738428-4103338632 Account Name: B0311D9E-241A-4A3C-BC9D-99BE88FA93F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31AF36 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615963Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B0311D9E-241A-4A3C-BC9D-99BE88FA93F4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615962Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1258100703-1295699297-3600754349-4109539616 Account Name: 4AFD17DF-CD61-4D3A-AD26-9FD62099F2F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3197B8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615961Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:15 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1258100703-1295699297-3600754349-4109539616 Account Name: 4AFD17DF-CD61-4D3A-AD26-9FD62099F2F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3197B8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615960Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1258100703-1295699297-3600754349-4109539616 Account Name: 4AFD17DF-CD61-4D3A-AD26-9FD62099F2F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3197B8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615959Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4AFD17DF-CD61-4D3A-AD26-9FD62099F2F4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615958Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1258100703-1295699297-3600754349-4109539616 Account Name: 4AFD17DF-CD61-4D3A-AD26-9FD62099F2F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31863B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615957Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1258100703-1295699297-3600754349-4109539616 Account Name: 4AFD17DF-CD61-4D3A-AD26-9FD62099F2F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3188E1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615956Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1258100703-1295699297-3600754349-4109539616 Account Name: 4AFD17DF-CD61-4D3A-AD26-9FD62099F2F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3188E1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615955Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4AFD17DF-CD61-4D3A-AD26-9FD62099F2F4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615954Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1258100703-1295699297-3600754349-4109539616 Account Name: 4AFD17DF-CD61-4D3A-AD26-9FD62099F2F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x318804 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615953Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1258100703-1295699297-3600754349-4109539616 Account Name: 4AFD17DF-CD61-4D3A-AD26-9FD62099F2F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x318804 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615952Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1258100703-1295699297-3600754349-4109539616 Account Name: 4AFD17DF-CD61-4D3A-AD26-9FD62099F2F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x318804 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615951Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4AFD17DF-CD61-4D3A-AD26-9FD62099F2F4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615950Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1258100703-1295699297-3600754349-4109539616 Account Name: 4AFD17DF-CD61-4D3A-AD26-9FD62099F2F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3187AD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615949Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1258100703-1295699297-3600754349-4109539616 Account Name: 4AFD17DF-CD61-4D3A-AD26-9FD62099F2F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3187AD Privileges: SeImpersonatePrivilege467200125480-921436483760003481615948Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1258100703-1295699297-3600754349-4109539616 Account Name: 4AFD17DF-CD61-4D3A-AD26-9FD62099F2F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3187AD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615947Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4AFD17DF-CD61-4D3A-AD26-9FD62099F2F4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615946Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1258100703-1295699297-3600754349-4109539616 Account Name: 4AFD17DF-CD61-4D3A-AD26-9FD62099F2F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31863B Privileges: SeImpersonatePrivilege467200125480-921436483760003481615945Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1258100703-1295699297-3600754349-4109539616 Account Name: 4AFD17DF-CD61-4D3A-AD26-9FD62099F2F4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x31863B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615944Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 4AFD17DF-CD61-4D3A-AD26-9FD62099F2F4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615943Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3340535618-1123476558-902804918-588210293 Account Name: C71C8742-E44E-42F6-B6B5-CF3575600F23 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3170F5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615942Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3340535618-1123476558-902804918-588210293 Account Name: C71C8742-E44E-42F6-B6B5-CF3575600F23 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3170F5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615941Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3340535618-1123476558-902804918-588210293 Account Name: C71C8742-E44E-42F6-B6B5-CF3575600F23 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x3170F5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615940Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C71C8742-E44E-42F6-B6B5-CF3575600F23 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615939Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:58:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2907839636-1168338589-2395343283-3939045597 Account Name: AD521C94-6E9D-45A3-B309-C68EDD10C9EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D4F53 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615938Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:57 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2812800165-1153200089-1375254462-1820102499 Account Name: A7A7ECA5-6FD9-44BC-BEB7-F851638F7C6C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B888E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615937Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2907839636-1168338589-2395343283-3939045597 Account Name: AD521C94-6E9D-45A3-B309-C68EDD10C9EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FE72C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615936Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:53 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2907839636-1168338589-2395343283-3939045597 Account Name: AD521C94-6E9D-45A3-B309-C68EDD10C9EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FE72C Privileges: SeImpersonatePrivilege467200125480-921436483760003481615935Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:53 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2907839636-1168338589-2395343283-3939045597 Account Name: AD521C94-6E9D-45A3-B309-C68EDD10C9EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FE72C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615934Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:53 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AD521C94-6E9D-45A3-B309-C68EDD10C9EA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615933Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:53 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3340535618-1123476558-902804918-588210293 Account Name: C71C8742-E44E-42F6-B6B5-CF3575600F23 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FAB0D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615932Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:52 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3340535618-1123476558-902804918-588210293 Account Name: C71C8742-E44E-42F6-B6B5-CF3575600F23 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FAB0D Privileges: SeImpersonatePrivilege467200125480-921436483760003481615931Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:52 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3340535618-1123476558-902804918-588210293 Account Name: C71C8742-E44E-42F6-B6B5-CF3575600F23 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2FAB0D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615930Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:52 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C71C8742-E44E-42F6-B6B5-CF3575600F23 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615929Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:52 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1905566800-1323470282-765787526-3733731405 Account Name: 7194A450-8DCA-4EE2-86FD-A42D4D388CDE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F590C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615928Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:46 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1905566800-1323470282-765787526-3733731405 Account Name: 7194A450-8DCA-4EE2-86FD-A42D4D388CDE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F590C Privileges: SeImpersonatePrivilege467200125480-921436483760003481615927Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:46 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1905566800-1323470282-765787526-3733731405 Account Name: 7194A450-8DCA-4EE2-86FD-A42D4D388CDE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F590C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615926Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:46 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7194A450-8DCA-4EE2-86FD-A42D4D388CDE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615925Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:46 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3340535618-1123476558-902804918-588210293 Account Name: C71C8742-E44E-42F6-B6B5-CF3575600F23 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F5026 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615924Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:46 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3340535618-1123476558-902804918-588210293 Account Name: C71C8742-E44E-42F6-B6B5-CF3575600F23 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F5026 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615923Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:46 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3340535618-1123476558-902804918-588210293 Account Name: C71C8742-E44E-42F6-B6B5-CF3575600F23 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F5026 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615922Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:46 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C71C8742-E44E-42F6-B6B5-CF3575600F23 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615921Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:46 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2812800165-1153200089-1375254462-1820102499 Account Name: A7A7ECA5-6FD9-44BC-BEB7-F851638F7C6C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F28BB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615920Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:44 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2812800165-1153200089-1375254462-1820102499 Account Name: A7A7ECA5-6FD9-44BC-BEB7-F851638F7C6C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F28BB Privileges: SeImpersonatePrivilege467200125480-921436483760003481615919Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:44 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2812800165-1153200089-1375254462-1820102499 Account Name: A7A7ECA5-6FD9-44BC-BEB7-F851638F7C6C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2F28BB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615918Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:44 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A7A7ECA5-6FD9-44BC-BEB7-F851638F7C6C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615917Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:44 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x2F24CE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C30079DC-2A54-3B58-01D5-4EEAC371F87E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58126 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615916Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:43 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2F24CE Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615915Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:43 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3340535618-1123476558-902804918-588210293 Account Name: C71C8742-E44E-42F6-B6B5-CF3575600F23 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EF9C8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615914Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:40 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3340535618-1123476558-902804918-588210293 Account Name: C71C8742-E44E-42F6-B6B5-CF3575600F23 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EF9C8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615913Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:40 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3340535618-1123476558-902804918-588210293 Account Name: C71C8742-E44E-42F6-B6B5-CF3575600F23 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EF9C8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615912Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:40 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C71C8742-E44E-42F6-B6B5-CF3575600F23 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615911Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:40 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1905566800-1323470282-765787526-3733731405 Account Name: 7194A450-8DCA-4EE2-86FD-A42D4D388CDE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EC676 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615910Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:37 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1905566800-1323470282-765787526-3733731405 Account Name: 7194A450-8DCA-4EE2-86FD-A42D4D388CDE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EC676 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615909Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:37 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1905566800-1323470282-765787526-3733731405 Account Name: 7194A450-8DCA-4EE2-86FD-A42D4D388CDE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EC676 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615908Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:37 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7194A450-8DCA-4EE2-86FD-A42D4D388CDE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615907Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:37 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1905566800-1323470282-765787526-3733731405 Account Name: 7194A450-8DCA-4EE2-86FD-A42D4D388CDE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EB6A7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615906Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:37 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1905566800-1323470282-765787526-3733731405 Account Name: 7194A450-8DCA-4EE2-86FD-A42D4D388CDE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EB7FA Privileges: SeImpersonatePrivilege467200125480-921436483760003481615905Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:37 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1905566800-1323470282-765787526-3733731405 Account Name: 7194A450-8DCA-4EE2-86FD-A42D4D388CDE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EB7FA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615904Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:37 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7194A450-8DCA-4EE2-86FD-A42D4D388CDE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615903Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:37 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1905566800-1323470282-765787526-3733731405 Account Name: 7194A450-8DCA-4EE2-86FD-A42D4D388CDE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EB7A1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615902Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:36 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1905566800-1323470282-765787526-3733731405 Account Name: 7194A450-8DCA-4EE2-86FD-A42D4D388CDE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EB7A1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615901Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:36 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1905566800-1323470282-765787526-3733731405 Account Name: 7194A450-8DCA-4EE2-86FD-A42D4D388CDE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EB7A1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615900Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:36 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7194A450-8DCA-4EE2-86FD-A42D4D388CDE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615899Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:36 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1905566800-1323470282-765787526-3733731405 Account Name: 7194A450-8DCA-4EE2-86FD-A42D4D388CDE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EB752 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615898Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:36 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1905566800-1323470282-765787526-3733731405 Account Name: 7194A450-8DCA-4EE2-86FD-A42D4D388CDE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EB752 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615897Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:36 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1905566800-1323470282-765787526-3733731405 Account Name: 7194A450-8DCA-4EE2-86FD-A42D4D388CDE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EB752 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615896Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:36 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7194A450-8DCA-4EE2-86FD-A42D4D388CDE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615895Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:36 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1905566800-1323470282-765787526-3733731405 Account Name: 7194A450-8DCA-4EE2-86FD-A42D4D388CDE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EB6A7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615894Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:36 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1905566800-1323470282-765787526-3733731405 Account Name: 7194A450-8DCA-4EE2-86FD-A42D4D388CDE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2EB6A7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615893Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:36 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7194A450-8DCA-4EE2-86FD-A42D4D388CDE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615892Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:36 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2DD11B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615891Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:36 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615890Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615889Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3340535618-1123476558-902804918-588210293 Account Name: C71C8742-E44E-42F6-B6B5-CF3575600F23 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E1A08 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615888Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3340535618-1123476558-902804918-588210293 Account Name: C71C8742-E44E-42F6-B6B5-CF3575600F23 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E1C9D Privileges: SeImpersonatePrivilege467200125480-921436483760003481615887Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3340535618-1123476558-902804918-588210293 Account Name: C71C8742-E44E-42F6-B6B5-CF3575600F23 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E1C9D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615886Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C71C8742-E44E-42F6-B6B5-CF3575600F23 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615885Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x2E1CD9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58128 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615884Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2E1CD9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615883Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x2E1CB3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58127 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615882Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2E1CB3 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615881Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x2E1C80 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58127 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615880Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2E1C80 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615879Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3340535618-1123476558-902804918-588210293 Account Name: C71C8742-E44E-42F6-B6B5-CF3575600F23 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E1B6B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615878Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3340535618-1123476558-902804918-588210293 Account Name: C71C8742-E44E-42F6-B6B5-CF3575600F23 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E1B6B Privileges: SeImpersonatePrivilege467200125480-921436483760003481615877Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3340535618-1123476558-902804918-588210293 Account Name: C71C8742-E44E-42F6-B6B5-CF3575600F23 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E1B6B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615876Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C71C8742-E44E-42F6-B6B5-CF3575600F23 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615875Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x2E1C2E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58127 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615874Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2E1C2E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615873Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3340535618-1123476558-902804918-588210293 Account Name: C71C8742-E44E-42F6-B6B5-CF3575600F23 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E1B21 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615872Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3340535618-1123476558-902804918-588210293 Account Name: C71C8742-E44E-42F6-B6B5-CF3575600F23 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E1B21 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615871Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3340535618-1123476558-902804918-588210293 Account Name: C71C8742-E44E-42F6-B6B5-CF3575600F23 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E1B21 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615870Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C71C8742-E44E-42F6-B6B5-CF3575600F23 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615869Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3340535618-1123476558-902804918-588210293 Account Name: C71C8742-E44E-42F6-B6B5-CF3575600F23 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E1A08 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615868Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3340535618-1123476558-902804918-588210293 Account Name: C71C8742-E44E-42F6-B6B5-CF3575600F23 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2E1A08 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615867Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C71C8742-E44E-42F6-B6B5-CF3575600F23 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615866Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x2E1A14 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58128 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615865Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2E1A14 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615864Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x2E1968 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58127 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615863Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2E1968 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615862Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x2E1947 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58127 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615861Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2E1947 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615860Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x2E191E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58127 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615859Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2E191E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615858Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x2E1739 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58128 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615857Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2E1739 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615856Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x2E170D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58127 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615855Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2E170D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615854Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x2E16F8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58127 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615853Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2E16F8 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615852Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x2E16E1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58127 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615851Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2E16E1 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615850Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x2E1533 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58128 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615849Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2E1533 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615848Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x2E145A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58128 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615847Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2E145A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615846Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x2E12FA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58128 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615845Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2E12FA Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615844Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x2E11D8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58127 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615843Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2E11D8 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615842Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x2E119A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58127 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615841Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2E119A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615840Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x2E10ED Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58128 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615839Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2E10ED Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615838Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x2E10D5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58127 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615837Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2E10D5 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615836Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x2E10C0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58127 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615835Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2E10C0 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615834Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x2E10A9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58127 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615833Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2E10A9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615832Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x2E1098 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58127 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615831Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2E1098 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615830Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x2E1082 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58126 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615829Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2E1082 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615828Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x2DD11B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {09690AB9-87DA-CB73-BD5E-2935EA1F4C7A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 58092 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615827Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2DD11B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615826Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2812800165-1153200089-1375254462-1820102499 Account Name: A7A7ECA5-6FD9-44BC-BEB7-F851638F7C6C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DCC15 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615825Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:12 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2812800165-1153200089-1375254462-1820102499 Account Name: A7A7ECA5-6FD9-44BC-BEB7-F851638F7C6C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DCC15 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615824Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:12 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2812800165-1153200089-1375254462-1820102499 Account Name: A7A7ECA5-6FD9-44BC-BEB7-F851638F7C6C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2DCC15 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615823Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:12 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A7A7ECA5-6FD9-44BC-BEB7-F851638F7C6C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615822Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:57:12 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x29F77F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615821Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x29F76A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615820Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x29F753 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615819Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x29F849 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615818Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x29F742 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615817Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x29F7B6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615816Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2907839636-1168338589-2395343283-3939045597 Account Name: AD521C94-6E9D-45A3-B309-C68EDD10C9EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D90E8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615815Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:57 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2907839636-1168338589-2395343283-3939045597 Account Name: AD521C94-6E9D-45A3-B309-C68EDD10C9EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D90E8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615814Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2907839636-1168338589-2395343283-3939045597 Account Name: AD521C94-6E9D-45A3-B309-C68EDD10C9EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D90E8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615813Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AD521C94-6E9D-45A3-B309-C68EDD10C9EA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615812Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2907839636-1168338589-2395343283-3939045597 Account Name: AD521C94-6E9D-45A3-B309-C68EDD10C9EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D5CD7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615811Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:50 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2907839636-1168338589-2395343283-3939045597 Account Name: AD521C94-6E9D-45A3-B309-C68EDD10C9EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D5CD7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615810Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2907839636-1168338589-2395343283-3939045597 Account Name: AD521C94-6E9D-45A3-B309-C68EDD10C9EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D5CD7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615809Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AD521C94-6E9D-45A3-B309-C68EDD10C9EA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615808Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2907839636-1168338589-2395343283-3939045597 Account Name: AD521C94-6E9D-45A3-B309-C68EDD10C9EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D4DF6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615807Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:50 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2907839636-1168338589-2395343283-3939045597 Account Name: AD521C94-6E9D-45A3-B309-C68EDD10C9EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D4F53 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615806Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2907839636-1168338589-2395343283-3939045597 Account Name: AD521C94-6E9D-45A3-B309-C68EDD10C9EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D4F53 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615805Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AD521C94-6E9D-45A3-B309-C68EDD10C9EA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615804Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2907839636-1168338589-2395343283-3939045597 Account Name: AD521C94-6E9D-45A3-B309-C68EDD10C9EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D4EFA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615803Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:50 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2907839636-1168338589-2395343283-3939045597 Account Name: AD521C94-6E9D-45A3-B309-C68EDD10C9EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D4EFA Privileges: SeImpersonatePrivilege467200125480-921436483760003481615802Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2907839636-1168338589-2395343283-3939045597 Account Name: AD521C94-6E9D-45A3-B309-C68EDD10C9EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D4EFA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615801Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AD521C94-6E9D-45A3-B309-C68EDD10C9EA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615800Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2907839636-1168338589-2395343283-3939045597 Account Name: AD521C94-6E9D-45A3-B309-C68EDD10C9EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D4EB1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615799Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:50 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2907839636-1168338589-2395343283-3939045597 Account Name: AD521C94-6E9D-45A3-B309-C68EDD10C9EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D4EB1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615798Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2907839636-1168338589-2395343283-3939045597 Account Name: AD521C94-6E9D-45A3-B309-C68EDD10C9EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D4EB1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615797Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AD521C94-6E9D-45A3-B309-C68EDD10C9EA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615796Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2907839636-1168338589-2395343283-3939045597 Account Name: AD521C94-6E9D-45A3-B309-C68EDD10C9EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D4DF6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615795Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:49 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2907839636-1168338589-2395343283-3939045597 Account Name: AD521C94-6E9D-45A3-B309-C68EDD10C9EA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2D4DF6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615794Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:49 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: AD521C94-6E9D-45A3-B309-C68EDD10C9EA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615793Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:49 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-353535759-1108631843-1828263580-327764826 Account Name: 1512870F-6123-4214-9C16-F96C5A4B8913 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x224EB4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615792Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:39 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1064500917-1213669077-2611101360-1810748974 Account Name: 3F72FEB5-1ED5-4857-B03E-A29B2ED6ED6B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2BF81F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615791Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:31 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4115870753-1276435390-555306895-89263610 Account Name: F5533421-DBBE-4C14-8F4F-1921FA0D5205 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B0CA8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615790Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:31 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1064500917-1213669077-2611101360-1810748974 Account Name: 3F72FEB5-1ED5-4857-B03E-A29B2ED6ED6B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C52F5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615789Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:21 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1064500917-1213669077-2611101360-1810748974 Account Name: 3F72FEB5-1ED5-4857-B03E-A29B2ED6ED6B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C52F5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615788Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:21 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1064500917-1213669077-2611101360-1810748974 Account Name: 3F72FEB5-1ED5-4857-B03E-A29B2ED6ED6B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C52F5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615787Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:21 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3F72FEB5-1ED5-4857-B03E-A29B2ED6ED6B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615786Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:21 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1064500917-1213669077-2611101360-1810748974 Account Name: 3F72FEB5-1ED5-4857-B03E-A29B2ED6ED6B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C0611 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615785Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:15 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1064500917-1213669077-2611101360-1810748974 Account Name: 3F72FEB5-1ED5-4857-B03E-A29B2ED6ED6B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C0611 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615784Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1064500917-1213669077-2611101360-1810748974 Account Name: 3F72FEB5-1ED5-4857-B03E-A29B2ED6ED6B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2C0611 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615783Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3F72FEB5-1ED5-4857-B03E-A29B2ED6ED6B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615782Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1064500917-1213669077-2611101360-1810748974 Account Name: 3F72FEB5-1ED5-4857-B03E-A29B2ED6ED6B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2BF6D8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615781Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1064500917-1213669077-2611101360-1810748974 Account Name: 3F72FEB5-1ED5-4857-B03E-A29B2ED6ED6B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2BF81F Privileges: SeImpersonatePrivilege467200125480-921436483760003481615780Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1064500917-1213669077-2611101360-1810748974 Account Name: 3F72FEB5-1ED5-4857-B03E-A29B2ED6ED6B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2BF81F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615779Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3F72FEB5-1ED5-4857-B03E-A29B2ED6ED6B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615778Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1064500917-1213669077-2611101360-1810748974 Account Name: 3F72FEB5-1ED5-4857-B03E-A29B2ED6ED6B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2BF7C6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615777Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1064500917-1213669077-2611101360-1810748974 Account Name: 3F72FEB5-1ED5-4857-B03E-A29B2ED6ED6B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2BF7C6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615776Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1064500917-1213669077-2611101360-1810748974 Account Name: 3F72FEB5-1ED5-4857-B03E-A29B2ED6ED6B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2BF7C6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615775Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3F72FEB5-1ED5-4857-B03E-A29B2ED6ED6B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615774Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1064500917-1213669077-2611101360-1810748974 Account Name: 3F72FEB5-1ED5-4857-B03E-A29B2ED6ED6B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2BF77D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615773Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1064500917-1213669077-2611101360-1810748974 Account Name: 3F72FEB5-1ED5-4857-B03E-A29B2ED6ED6B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2BF77D Privileges: SeImpersonatePrivilege467200125480-921436483760003481615772Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1064500917-1213669077-2611101360-1810748974 Account Name: 3F72FEB5-1ED5-4857-B03E-A29B2ED6ED6B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2BF77D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615771Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3F72FEB5-1ED5-4857-B03E-A29B2ED6ED6B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615770Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1064500917-1213669077-2611101360-1810748974 Account Name: 3F72FEB5-1ED5-4857-B03E-A29B2ED6ED6B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2BF6D8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615769Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1064500917-1213669077-2611101360-1810748974 Account Name: 3F72FEB5-1ED5-4857-B03E-A29B2ED6ED6B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2BF6D8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615768Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3F72FEB5-1ED5-4857-B03E-A29B2ED6ED6B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615767Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2812800165-1153200089-1375254462-1820102499 Account Name: A7A7ECA5-6FD9-44BC-BEB7-F851638F7C6C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2BD69B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615766Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:08 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2812800165-1153200089-1375254462-1820102499 Account Name: A7A7ECA5-6FD9-44BC-BEB7-F851638F7C6C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2BD69B Privileges: SeImpersonatePrivilege467200125480-921436483760003481615765Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:08 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2812800165-1153200089-1375254462-1820102499 Account Name: A7A7ECA5-6FD9-44BC-BEB7-F851638F7C6C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2BD69B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615764Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:08 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A7A7ECA5-6FD9-44BC-BEB7-F851638F7C6C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615763Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:08 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2812800165-1153200089-1375254462-1820102499 Account Name: A7A7ECA5-6FD9-44BC-BEB7-F851638F7C6C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B97D4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615762Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:01 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2812800165-1153200089-1375254462-1820102499 Account Name: A7A7ECA5-6FD9-44BC-BEB7-F851638F7C6C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B97D4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615761Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:01 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2812800165-1153200089-1375254462-1820102499 Account Name: A7A7ECA5-6FD9-44BC-BEB7-F851638F7C6C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B97D4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615760Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:01 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A7A7ECA5-6FD9-44BC-BEB7-F851638F7C6C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615759Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:01 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2812800165-1153200089-1375254462-1820102499 Account Name: A7A7ECA5-6FD9-44BC-BEB7-F851638F7C6C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B8746 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615758Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:01 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2812800165-1153200089-1375254462-1820102499 Account Name: A7A7ECA5-6FD9-44BC-BEB7-F851638F7C6C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B888E Privileges: SeImpersonatePrivilege467200125480-921436483760003481615757Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:01 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2812800165-1153200089-1375254462-1820102499 Account Name: A7A7ECA5-6FD9-44BC-BEB7-F851638F7C6C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B888E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615756Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:01 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A7A7ECA5-6FD9-44BC-BEB7-F851638F7C6C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615755Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:01 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2812800165-1153200089-1375254462-1820102499 Account Name: A7A7ECA5-6FD9-44BC-BEB7-F851638F7C6C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B8835 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615754Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:01 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2812800165-1153200089-1375254462-1820102499 Account Name: A7A7ECA5-6FD9-44BC-BEB7-F851638F7C6C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B8835 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615753Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:01 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2812800165-1153200089-1375254462-1820102499 Account Name: A7A7ECA5-6FD9-44BC-BEB7-F851638F7C6C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B8835 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615752Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:01 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A7A7ECA5-6FD9-44BC-BEB7-F851638F7C6C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615751Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:01 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2812800165-1153200089-1375254462-1820102499 Account Name: A7A7ECA5-6FD9-44BC-BEB7-F851638F7C6C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B87EC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615750Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:01 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2812800165-1153200089-1375254462-1820102499 Account Name: A7A7ECA5-6FD9-44BC-BEB7-F851638F7C6C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B87EC Privileges: SeImpersonatePrivilege467200125480-921436483760003481615749Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:01 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2812800165-1153200089-1375254462-1820102499 Account Name: A7A7ECA5-6FD9-44BC-BEB7-F851638F7C6C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B87EC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615748Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:01 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A7A7ECA5-6FD9-44BC-BEB7-F851638F7C6C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615747Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:01 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2812800165-1153200089-1375254462-1820102499 Account Name: A7A7ECA5-6FD9-44BC-BEB7-F851638F7C6C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B8746 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615746Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:01 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2812800165-1153200089-1375254462-1820102499 Account Name: A7A7ECA5-6FD9-44BC-BEB7-F851638F7C6C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B8746 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615745Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:01 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A7A7ECA5-6FD9-44BC-BEB7-F851638F7C6C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615744Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:56:01 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2B38E7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615743Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x29F72C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615742Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4115870753-1276435390-555306895-89263610 Account Name: F5533421-DBBE-4C14-8F4F-1921FA0D5205 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B558F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615741Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:47 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4115870753-1276435390-555306895-89263610 Account Name: F5533421-DBBE-4C14-8F4F-1921FA0D5205 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B558F Privileges: SeImpersonatePrivilege467200125480-921436483760003481615740Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:47 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4115870753-1276435390-555306895-89263610 Account Name: F5533421-DBBE-4C14-8F4F-1921FA0D5205 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B558F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615739Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:47 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F5533421-DBBE-4C14-8F4F-1921FA0D5205 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615738Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:47 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x2B38E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C30079DC-2A54-3B58-01D5-4EEAC371F87E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57993 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615737Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:42 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2B38E7 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615736Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:42 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4115870753-1276435390-555306895-89263610 Account Name: F5533421-DBBE-4C14-8F4F-1921FA0D5205 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B1A22 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615735Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:39 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4115870753-1276435390-555306895-89263610 Account Name: F5533421-DBBE-4C14-8F4F-1921FA0D5205 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B1A22 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615734Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:39 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4115870753-1276435390-555306895-89263610 Account Name: F5533421-DBBE-4C14-8F4F-1921FA0D5205 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B1A22 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615733Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:39 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F5533421-DBBE-4C14-8F4F-1921FA0D5205 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615732Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:39 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4115870753-1276435390-555306895-89263610 Account Name: F5533421-DBBE-4C14-8F4F-1921FA0D5205 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B0B4F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615731Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:38 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4115870753-1276435390-555306895-89263610 Account Name: F5533421-DBBE-4C14-8F4F-1921FA0D5205 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B0CA8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615730Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:38 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4115870753-1276435390-555306895-89263610 Account Name: F5533421-DBBE-4C14-8F4F-1921FA0D5205 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B0CA8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615729Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:38 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F5533421-DBBE-4C14-8F4F-1921FA0D5205 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615728Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:38 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4115870753-1276435390-555306895-89263610 Account Name: F5533421-DBBE-4C14-8F4F-1921FA0D5205 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B0C3D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615727Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:38 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4115870753-1276435390-555306895-89263610 Account Name: F5533421-DBBE-4C14-8F4F-1921FA0D5205 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B0C3D Privileges: SeImpersonatePrivilege467200125480-921436483760003481615726Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:38 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4115870753-1276435390-555306895-89263610 Account Name: F5533421-DBBE-4C14-8F4F-1921FA0D5205 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B0C3D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615725Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:38 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F5533421-DBBE-4C14-8F4F-1921FA0D5205 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615724Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:38 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-1105 Account Name: N-H2-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x2A1973 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615723Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:38 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-1105 Account Name: N-H2-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x2A0B23 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615722Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:38 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x29F6C1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615721Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:38 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4115870753-1276435390-555306895-89263610 Account Name: F5533421-DBBE-4C14-8F4F-1921FA0D5205 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B0BF4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615720Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:38 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4115870753-1276435390-555306895-89263610 Account Name: F5533421-DBBE-4C14-8F4F-1921FA0D5205 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B0BF4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615719Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:38 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4115870753-1276435390-555306895-89263610 Account Name: F5533421-DBBE-4C14-8F4F-1921FA0D5205 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B0BF4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615718Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:38 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F5533421-DBBE-4C14-8F4F-1921FA0D5205 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615717Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:38 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4115870753-1276435390-555306895-89263610 Account Name: F5533421-DBBE-4C14-8F4F-1921FA0D5205 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B0B4F Privileges: SeImpersonatePrivilege467200125480-921436483760003481615716Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:38 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4115870753-1276435390-555306895-89263610 Account Name: F5533421-DBBE-4C14-8F4F-1921FA0D5205 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2B0B4F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615715Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:38 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F5533421-DBBE-4C14-8F4F-1921FA0D5205 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615714Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:38 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x29F8E8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615713Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:26 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2533433503-1293733688-1458391221-540911923 Account Name: 9701209F-CF38-4D1C-B548-ED5633A93D20 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2A9838 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615712Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2533433503-1293733688-1458391221-540911923 Account Name: 9701209F-CF38-4D1C-B548-ED5633A93D20 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2A9838 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615711Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9701209F-CF38-4D1C-B548-ED5633A93D20 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615710Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2A6AC8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615709Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x2A6AC8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {63886D5B-BECD-841C-342D-B8E3139D0C00} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615708Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2A6AC8 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615707Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2533433503-1293733688-1458391221-540911923 Account Name: 9701209F-CF38-4D1C-B548-ED5633A93D20 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2A630B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615706Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2533433503-1293733688-1458391221-540911923 Account Name: 9701209F-CF38-4D1C-B548-ED5633A93D20 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2A630B Privileges: SeImpersonatePrivilege467200125480-921436483760003481615705Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2533433503-1293733688-1458391221-540911923 Account Name: 9701209F-CF38-4D1C-B548-ED5633A93D20 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2A630B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615704Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9701209F-CF38-4D1C-B548-ED5633A93D20 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615703Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2533433503-1293733688-1458391221-540911923 Account Name: 9701209F-CF38-4D1C-B548-ED5633A93D20 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2A5F78 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615702Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2533433503-1293733688-1458391221-540911923 Account Name: 9701209F-CF38-4D1C-B548-ED5633A93D20 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2A5F78 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615701Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2533433503-1293733688-1458391221-540911923 Account Name: 9701209F-CF38-4D1C-B548-ED5633A93D20 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2A5F78 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615700Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9701209F-CF38-4D1C-B548-ED5633A93D20 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615699Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615698Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615697Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1461080625-1221490686-3412179626-2481469714 Account Name: 57165231-77FE-48CE-AABA-61CB1239E893 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27EC30 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615696Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-1105 Account Name: N-H2-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x2A1BFA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615695Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:23 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-1105 Account Name: N-H2-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x2A1BBF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615694Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:23 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-1105 Account Name: N-H2-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x2A1BE6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615693Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:23 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-1105 Account Name: N-H2-858383-10$ Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x2A1BFA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {5D7FE032-5CE5-3A74-7470-F040B7C89083} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57992 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615692Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:23 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-1105 Account Name: N-H2-858383-10$ Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x2A1BE6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {5D7FE032-5CE5-3A74-7470-F040B7C89083} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57991 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615691Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:23 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-1105 Account Name: N-H2-858383-10$ Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x2A1BBF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {5D7FE032-5CE5-3A74-7470-F040B7C89083} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57990 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615690Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:23 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-1105 Account Name: N-H2-858383-10$ Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x2A1973 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {5D7FE032-5CE5-3A74-7470-F040B7C89083} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57989 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615689Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:23 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-1105 Account Name: N-H2-858383-10$ Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x2A0B23 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {5D7FE032-5CE5-3A74-7470-F040B7C89083} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57989 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615688Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:23 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-1105 Account Name: N-H2-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x29F9D0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615687Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:22 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-1105 Account Name: N-H2-858383-10$ Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x29F9D0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {051DB01F-0AE4-7296-C09D-0610885608B6} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615686Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2533433503-1293733688-1458391221-540911923 Account Name: 9701209F-CF38-4D1C-B548-ED5633A93D20 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29F962 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615685Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:22 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2533433503-1293733688-1458391221-540911923 Account Name: 9701209F-CF38-4D1C-B548-ED5633A93D20 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29F962 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615684Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2533433503-1293733688-1458391221-540911923 Account Name: 9701209F-CF38-4D1C-B548-ED5633A93D20 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29F962 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615683Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9701209F-CF38-4D1C-B548-ED5633A93D20 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615682Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2533433503-1293733688-1458391221-540911923 Account Name: 9701209F-CF38-4D1C-B548-ED5633A93D20 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29F90F Privileges: SeImpersonatePrivilege467200125480-921436483760003481615681Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2533433503-1293733688-1458391221-540911923 Account Name: 9701209F-CF38-4D1C-B548-ED5633A93D20 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29F90F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615680Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9701209F-CF38-4D1C-B548-ED5633A93D20 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615679Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x29F8E8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {63886D5B-BECD-841C-342D-B8E3139D0C00} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615678Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x29F8E8 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615677Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x29F849 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57995 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615676Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x29F849 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615675Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x29F7B6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57995 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615674Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x29F7B6 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615673Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x29F77F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57994 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615672Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x29F77F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615671Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x29F76A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57994 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615670Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x29F76A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615669Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x29F753 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57994 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615668Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x29F753 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615667Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x29F742 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57994 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615666Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x29F742 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615665Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x29F72C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57993 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615664Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x29F72C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615663Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x29F710 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615662Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:22 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x29F6F0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615661Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:22 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x29F700 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615660Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:22 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x29F710 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {09690AB9-87DA-CB73-BD5E-2935EA1F4C7A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57992 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615659Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x29F710 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615658Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x29F700 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {09690AB9-87DA-CB73-BD5E-2935EA1F4C7A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57991 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615657Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x29F700 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615656Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x29F6F0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {09690AB9-87DA-CB73-BD5E-2935EA1F4C7A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57990 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615655Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x29F6F0 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615654Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x29F6C1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {09690AB9-87DA-CB73-BD5E-2935EA1F4C7A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57989 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615653Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x29F6C1 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615652Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1461080625-1221490686-3412179626-2481469714 Account Name: 57165231-77FE-48CE-AABA-61CB1239E893 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29F313 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615651Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:21 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1461080625-1221490686-3412179626-2481469714 Account Name: 57165231-77FE-48CE-AABA-61CB1239E893 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29F313 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615650Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:21 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1461080625-1221490686-3412179626-2481469714 Account Name: 57165231-77FE-48CE-AABA-61CB1239E893 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x29F313 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615649Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:21 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 57165231-77FE-48CE-AABA-61CB1239E893 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615648Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:21 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4077019379-1144388194-3376605861-2740334292 Account Name: F30260F3-FA62-4435-A5EA-42C9D42E56A3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28F633 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615647Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:19 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4077019379-1144388194-3376605861-2740334292 Account Name: F30260F3-FA62-4435-A5EA-42C9D42E56A3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x297DB5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615646Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:13 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4077019379-1144388194-3376605861-2740334292 Account Name: F30260F3-FA62-4435-A5EA-42C9D42E56A3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x297DB5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615645Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:13 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4077019379-1144388194-3376605861-2740334292 Account Name: F30260F3-FA62-4435-A5EA-42C9D42E56A3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x297DB5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615644Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:13 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F30260F3-FA62-4435-A5EA-42C9D42E56A3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615643Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:13 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1907281675-1315638670-4047370155-4033622193 Account Name: 71AECF0B-0D8E-4E6B-ABF7-3DF1B1306CF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x293E07 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615642Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:10 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1907281675-1315638670-4047370155-4033622193 Account Name: 71AECF0B-0D8E-4E6B-ABF7-3DF1B1306CF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x293E07 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615641Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:10 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1907281675-1315638670-4047370155-4033622193 Account Name: 71AECF0B-0D8E-4E6B-ABF7-3DF1B1306CF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x293E07 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615640Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:10 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 71AECF0B-0D8E-4E6B-ABF7-3DF1B1306CF0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615639Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:10 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4077019379-1144388194-3376605861-2740334292 Account Name: F30260F3-FA62-4435-A5EA-42C9D42E56A3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x290D76 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615638Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:06 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4077019379-1144388194-3376605861-2740334292 Account Name: F30260F3-FA62-4435-A5EA-42C9D42E56A3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x290D76 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615637Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:06 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4077019379-1144388194-3376605861-2740334292 Account Name: F30260F3-FA62-4435-A5EA-42C9D42E56A3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x290D76 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615636Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:06 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F30260F3-FA62-4435-A5EA-42C9D42E56A3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615635Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:06 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4077019379-1144388194-3376605861-2740334292 Account Name: F30260F3-FA62-4435-A5EA-42C9D42E56A3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28F4E8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615634Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:06 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4077019379-1144388194-3376605861-2740334292 Account Name: F30260F3-FA62-4435-A5EA-42C9D42E56A3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28F633 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615633Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:06 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4077019379-1144388194-3376605861-2740334292 Account Name: F30260F3-FA62-4435-A5EA-42C9D42E56A3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28F633 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615632Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:06 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F30260F3-FA62-4435-A5EA-42C9D42E56A3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615631Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:06 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4077019379-1144388194-3376605861-2740334292 Account Name: F30260F3-FA62-4435-A5EA-42C9D42E56A3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28F5DA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615630Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:06 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4077019379-1144388194-3376605861-2740334292 Account Name: F30260F3-FA62-4435-A5EA-42C9D42E56A3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28F5DA Privileges: SeImpersonatePrivilege467200125480-921436483760003481615629Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:06 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4077019379-1144388194-3376605861-2740334292 Account Name: F30260F3-FA62-4435-A5EA-42C9D42E56A3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28F5DA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615628Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:06 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F30260F3-FA62-4435-A5EA-42C9D42E56A3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615627Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:06 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4077019379-1144388194-3376605861-2740334292 Account Name: F30260F3-FA62-4435-A5EA-42C9D42E56A3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28F591 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615626Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:06 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4077019379-1144388194-3376605861-2740334292 Account Name: F30260F3-FA62-4435-A5EA-42C9D42E56A3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28F591 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615625Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:06 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4077019379-1144388194-3376605861-2740334292 Account Name: F30260F3-FA62-4435-A5EA-42C9D42E56A3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28F591 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615624Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:06 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F30260F3-FA62-4435-A5EA-42C9D42E56A3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615623Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:06 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4077019379-1144388194-3376605861-2740334292 Account Name: F30260F3-FA62-4435-A5EA-42C9D42E56A3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28F4E8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615622Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:06 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4077019379-1144388194-3376605861-2740334292 Account Name: F30260F3-FA62-4435-A5EA-42C9D42E56A3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28F4E8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615621Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:06 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F30260F3-FA62-4435-A5EA-42C9D42E56A3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615620Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:06 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1713442484-1211136687-2600867257-4167130785 Account Name: 66210EB4-7AAF-4830-B915-069BA15E61F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27C38F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615619Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:06 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1907281675-1315638670-4047370155-4033622193 Account Name: 71AECF0B-0D8E-4E6B-ABF7-3DF1B1306CF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28B5A4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615618Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:03 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1907281675-1315638670-4047370155-4033622193 Account Name: 71AECF0B-0D8E-4E6B-ABF7-3DF1B1306CF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28B5A4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615617Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1907281675-1315638670-4047370155-4033622193 Account Name: 71AECF0B-0D8E-4E6B-ABF7-3DF1B1306CF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28B5A4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615616Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 71AECF0B-0D8E-4E6B-ABF7-3DF1B1306CF0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615615Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1907281675-1315638670-4047370155-4033622193 Account Name: 71AECF0B-0D8E-4E6B-ABF7-3DF1B1306CF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28A6DF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615614Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:03 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1907281675-1315638670-4047370155-4033622193 Account Name: 71AECF0B-0D8E-4E6B-ABF7-3DF1B1306CF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28A828 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615613Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1907281675-1315638670-4047370155-4033622193 Account Name: 71AECF0B-0D8E-4E6B-ABF7-3DF1B1306CF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28A828 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615612Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 71AECF0B-0D8E-4E6B-ABF7-3DF1B1306CF0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615611Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1907281675-1315638670-4047370155-4033622193 Account Name: 71AECF0B-0D8E-4E6B-ABF7-3DF1B1306CF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28A7CF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615610Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:03 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1907281675-1315638670-4047370155-4033622193 Account Name: 71AECF0B-0D8E-4E6B-ABF7-3DF1B1306CF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28A7CF Privileges: SeImpersonatePrivilege467200125480-921436483760003481615609Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1907281675-1315638670-4047370155-4033622193 Account Name: 71AECF0B-0D8E-4E6B-ABF7-3DF1B1306CF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28A7CF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615608Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 71AECF0B-0D8E-4E6B-ABF7-3DF1B1306CF0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615607Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1907281675-1315638670-4047370155-4033622193 Account Name: 71AECF0B-0D8E-4E6B-ABF7-3DF1B1306CF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28A786 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615606Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:03 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1907281675-1315638670-4047370155-4033622193 Account Name: 71AECF0B-0D8E-4E6B-ABF7-3DF1B1306CF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28A786 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615605Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1907281675-1315638670-4047370155-4033622193 Account Name: 71AECF0B-0D8E-4E6B-ABF7-3DF1B1306CF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28A786 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615604Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 71AECF0B-0D8E-4E6B-ABF7-3DF1B1306CF0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615603Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1907281675-1315638670-4047370155-4033622193 Account Name: 71AECF0B-0D8E-4E6B-ABF7-3DF1B1306CF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28A6DF Privileges: SeImpersonatePrivilege467200125480-921436483760003481615602Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1907281675-1315638670-4047370155-4033622193 Account Name: 71AECF0B-0D8E-4E6B-ABF7-3DF1B1306CF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x28A6DF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615601Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 71AECF0B-0D8E-4E6B-ABF7-3DF1B1306CF0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615600Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:55:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1461080625-1221490686-3412179626-2481469714 Account Name: 57165231-77FE-48CE-AABA-61CB1239E893 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x288ADF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615599Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:59 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1461080625-1221490686-3412179626-2481469714 Account Name: 57165231-77FE-48CE-AABA-61CB1239E893 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x288ADF Privileges: SeImpersonatePrivilege467200125480-921436483760003481615598Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:59 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1461080625-1221490686-3412179626-2481469714 Account Name: 57165231-77FE-48CE-AABA-61CB1239E893 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x288ADF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615597Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:59 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 57165231-77FE-48CE-AABA-61CB1239E893 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615596Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:59 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4009787311-1323077716-3638946221-1039385237 Account Name: EF007FAF-9054-4EDC-ADE9-E5D895C2F33D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25AE7C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615595Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:56 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1713442484-1211136687-2600867257-4167130785 Account Name: 66210EB4-7AAF-4830-B915-069BA15E61F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x284F03 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615594Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:56 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1713442484-1211136687-2600867257-4167130785 Account Name: 66210EB4-7AAF-4830-B915-069BA15E61F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x284F03 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615593Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1713442484-1211136687-2600867257-4167130785 Account Name: 66210EB4-7AAF-4830-B915-069BA15E61F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x284F03 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615592Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 66210EB4-7AAF-4830-B915-069BA15E61F8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615591Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2731F4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615590Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:55 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1461080625-1221490686-3412179626-2481469714 Account Name: 57165231-77FE-48CE-AABA-61CB1239E893 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27F96D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615589Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:50 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1461080625-1221490686-3412179626-2481469714 Account Name: 57165231-77FE-48CE-AABA-61CB1239E893 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27F96D Privileges: SeImpersonatePrivilege467200125480-921436483760003481615588Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1461080625-1221490686-3412179626-2481469714 Account Name: 57165231-77FE-48CE-AABA-61CB1239E893 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27F96D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615587Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 57165231-77FE-48CE-AABA-61CB1239E893 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615586Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1461080625-1221490686-3412179626-2481469714 Account Name: 57165231-77FE-48CE-AABA-61CB1239E893 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27EA44 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615585Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:50 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1461080625-1221490686-3412179626-2481469714 Account Name: 57165231-77FE-48CE-AABA-61CB1239E893 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27EC30 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615584Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1461080625-1221490686-3412179626-2481469714 Account Name: 57165231-77FE-48CE-AABA-61CB1239E893 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27EC30 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615583Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 57165231-77FE-48CE-AABA-61CB1239E893 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615582Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1461080625-1221490686-3412179626-2481469714 Account Name: 57165231-77FE-48CE-AABA-61CB1239E893 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27EBD5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615581Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:50 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1461080625-1221490686-3412179626-2481469714 Account Name: 57165231-77FE-48CE-AABA-61CB1239E893 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27EBD5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615580Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1461080625-1221490686-3412179626-2481469714 Account Name: 57165231-77FE-48CE-AABA-61CB1239E893 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27EBD5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615579Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 57165231-77FE-48CE-AABA-61CB1239E893 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615578Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1461080625-1221490686-3412179626-2481469714 Account Name: 57165231-77FE-48CE-AABA-61CB1239E893 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27EB8C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615577Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:50 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1461080625-1221490686-3412179626-2481469714 Account Name: 57165231-77FE-48CE-AABA-61CB1239E893 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27EB8C Privileges: SeImpersonatePrivilege467200125480-921436483760003481615576Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1461080625-1221490686-3412179626-2481469714 Account Name: 57165231-77FE-48CE-AABA-61CB1239E893 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27EB8C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615575Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 57165231-77FE-48CE-AABA-61CB1239E893 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615574Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1461080625-1221490686-3412179626-2481469714 Account Name: 57165231-77FE-48CE-AABA-61CB1239E893 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27EA44 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615573Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1461080625-1221490686-3412179626-2481469714 Account Name: 57165231-77FE-48CE-AABA-61CB1239E893 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27EA44 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615572Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 57165231-77FE-48CE-AABA-61CB1239E893 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615571Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:50 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1713442484-1211136687-2600867257-4167130785 Account Name: 66210EB4-7AAF-4830-B915-069BA15E61F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27D138 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615570Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:49 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1713442484-1211136687-2600867257-4167130785 Account Name: 66210EB4-7AAF-4830-B915-069BA15E61F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27D138 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615569Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:49 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1713442484-1211136687-2600867257-4167130785 Account Name: 66210EB4-7AAF-4830-B915-069BA15E61F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27D138 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615568Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:49 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 66210EB4-7AAF-4830-B915-069BA15E61F8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615567Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:49 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1713442484-1211136687-2600867257-4167130785 Account Name: 66210EB4-7AAF-4830-B915-069BA15E61F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27C1CF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615566Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:48 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1713442484-1211136687-2600867257-4167130785 Account Name: 66210EB4-7AAF-4830-B915-069BA15E61F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27C38F Privileges: SeImpersonatePrivilege467200125480-921436483760003481615565Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:48 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1713442484-1211136687-2600867257-4167130785 Account Name: 66210EB4-7AAF-4830-B915-069BA15E61F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27C38F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615564Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:48 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 66210EB4-7AAF-4830-B915-069BA15E61F8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615563Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:48 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1713442484-1211136687-2600867257-4167130785 Account Name: 66210EB4-7AAF-4830-B915-069BA15E61F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27C336 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615562Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:48 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1713442484-1211136687-2600867257-4167130785 Account Name: 66210EB4-7AAF-4830-B915-069BA15E61F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27C336 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615561Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:48 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1713442484-1211136687-2600867257-4167130785 Account Name: 66210EB4-7AAF-4830-B915-069BA15E61F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27C336 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615560Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:48 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 66210EB4-7AAF-4830-B915-069BA15E61F8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615559Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:48 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1713442484-1211136687-2600867257-4167130785 Account Name: 66210EB4-7AAF-4830-B915-069BA15E61F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27C2E5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615558Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:48 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1713442484-1211136687-2600867257-4167130785 Account Name: 66210EB4-7AAF-4830-B915-069BA15E61F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27C2E5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615557Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:48 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1713442484-1211136687-2600867257-4167130785 Account Name: 66210EB4-7AAF-4830-B915-069BA15E61F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27C2E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615556Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:48 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 66210EB4-7AAF-4830-B915-069BA15E61F8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615555Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:48 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1713442484-1211136687-2600867257-4167130785 Account Name: 66210EB4-7AAF-4830-B915-069BA15E61F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27C1CF Privileges: SeImpersonatePrivilege467200125480-921436483760003481615554Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:48 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1713442484-1211136687-2600867257-4167130785 Account Name: 66210EB4-7AAF-4830-B915-069BA15E61F8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x27C1CF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615553Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:48 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 66210EB4-7AAF-4830-B915-069BA15E61F8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615552Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:48 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2541780006-1248598069-2856180887-1895349014 Account Name: 97807C26-1835-4A6C-97DC-3DAA16BBF870 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x256E6C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615551Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:47 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4009787311-1323077716-3638946221-1039385237 Account Name: EF007FAF-9054-4EDC-ADE9-E5D895C2F33D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x278CDA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615550Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:45 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4009787311-1323077716-3638946221-1039385237 Account Name: EF007FAF-9054-4EDC-ADE9-E5D895C2F33D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x278CDA Privileges: SeImpersonatePrivilege467200125480-921436483760003481615549Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:45 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4009787311-1323077716-3638946221-1039385237 Account Name: EF007FAF-9054-4EDC-ADE9-E5D895C2F33D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x278CDA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615548Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:45 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EF007FAF-9054-4EDC-ADE9-E5D895C2F33D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615547Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:45 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x2731F4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {09690AB9-87DA-CB73-BD5E-2935EA1F4C7A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57948 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615546Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:33 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x2731F4 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615545Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:33 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2322157934-1233267287-1413162889-43328416 Account Name: 8A69516E-2A57-4982-8927-3B54A0239502 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x238230 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615544Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:33 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2130965853-1085025115-3430114223-2649148171 Account Name: 7F03F55D-2B5B-40AC-AF63-73CC0BCBE69D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x263292 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615543Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:32 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2130965853-1085025115-3430114223-2649148171 Account Name: 7F03F55D-2B5B-40AC-AF63-73CC0BCBE69D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26ADC6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615542Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2130965853-1085025115-3430114223-2649148171 Account Name: 7F03F55D-2B5B-40AC-AF63-73CC0BCBE69D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26ADC6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615541Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:28 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2130965853-1085025115-3430114223-2649148171 Account Name: 7F03F55D-2B5B-40AC-AF63-73CC0BCBE69D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x26ADC6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615540Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:28 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7F03F55D-2B5B-40AC-AF63-73CC0BCBE69D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615539Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:28 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4009787311-1323077716-3638946221-1039385237 Account Name: EF007FAF-9054-4EDC-ADE9-E5D895C2F33D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2682D7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615538Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:26 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4009787311-1323077716-3638946221-1039385237 Account Name: EF007FAF-9054-4EDC-ADE9-E5D895C2F33D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2682D7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615537Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4009787311-1323077716-3638946221-1039385237 Account Name: EF007FAF-9054-4EDC-ADE9-E5D895C2F33D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2682D7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615536Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EF007FAF-9054-4EDC-ADE9-E5D895C2F33D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615535Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x24DFA2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615534Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2130965853-1085025115-3430114223-2649148171 Account Name: 7F03F55D-2B5B-40AC-AF63-73CC0BCBE69D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x264439 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615533Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:20 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2130965853-1085025115-3430114223-2649148171 Account Name: 7F03F55D-2B5B-40AC-AF63-73CC0BCBE69D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x264439 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615532Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:20 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2130965853-1085025115-3430114223-2649148171 Account Name: 7F03F55D-2B5B-40AC-AF63-73CC0BCBE69D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x264439 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615531Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:20 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7F03F55D-2B5B-40AC-AF63-73CC0BCBE69D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615530Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:20 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2130965853-1085025115-3430114223-2649148171 Account Name: 7F03F55D-2B5B-40AC-AF63-73CC0BCBE69D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x262B59 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615529Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:19 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2130965853-1085025115-3430114223-2649148171 Account Name: 7F03F55D-2B5B-40AC-AF63-73CC0BCBE69D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x263292 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615528Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2130965853-1085025115-3430114223-2649148171 Account Name: 7F03F55D-2B5B-40AC-AF63-73CC0BCBE69D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x263292 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615527Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7F03F55D-2B5B-40AC-AF63-73CC0BCBE69D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615526Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2130965853-1085025115-3430114223-2649148171 Account Name: 7F03F55D-2B5B-40AC-AF63-73CC0BCBE69D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x263010 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615525Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:19 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2130965853-1085025115-3430114223-2649148171 Account Name: 7F03F55D-2B5B-40AC-AF63-73CC0BCBE69D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x263010 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615524Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2130965853-1085025115-3430114223-2649148171 Account Name: 7F03F55D-2B5B-40AC-AF63-73CC0BCBE69D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x263010 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615523Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7F03F55D-2B5B-40AC-AF63-73CC0BCBE69D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615522Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2130965853-1085025115-3430114223-2649148171 Account Name: 7F03F55D-2B5B-40AC-AF63-73CC0BCBE69D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x262E2E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615521Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:19 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2130965853-1085025115-3430114223-2649148171 Account Name: 7F03F55D-2B5B-40AC-AF63-73CC0BCBE69D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x262E2E Privileges: SeImpersonatePrivilege467200125480-921436483760003481615520Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2130965853-1085025115-3430114223-2649148171 Account Name: 7F03F55D-2B5B-40AC-AF63-73CC0BCBE69D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x262E2E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615519Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7F03F55D-2B5B-40AC-AF63-73CC0BCBE69D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615518Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2130965853-1085025115-3430114223-2649148171 Account Name: 7F03F55D-2B5B-40AC-AF63-73CC0BCBE69D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x262B59 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615517Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2130965853-1085025115-3430114223-2649148171 Account Name: 7F03F55D-2B5B-40AC-AF63-73CC0BCBE69D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x262B59 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615516Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 7F03F55D-2B5B-40AC-AF63-73CC0BCBE69D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615515Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2541780006-1248598069-2856180887-1895349014 Account Name: 97807C26-1835-4A6C-97DC-3DAA16BBF870 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25FF9D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615514Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:17 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2541780006-1248598069-2856180887-1895349014 Account Name: 97807C26-1835-4A6C-97DC-3DAA16BBF870 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25FF9D Privileges: SeImpersonatePrivilege467200125480-921436483760003481615513Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2541780006-1248598069-2856180887-1895349014 Account Name: 97807C26-1835-4A6C-97DC-3DAA16BBF870 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25FF9D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615512Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 97807C26-1835-4A6C-97DC-3DAA16BBF870 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615511Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2322157934-1233267287-1413162889-43328416 Account Name: 8A69516E-2A57-4982-8927-3B54A0239502 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25E512 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615510Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:15 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2322157934-1233267287-1413162889-43328416 Account Name: 8A69516E-2A57-4982-8927-3B54A0239502 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25E512 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615509Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2322157934-1233267287-1413162889-43328416 Account Name: 8A69516E-2A57-4982-8927-3B54A0239502 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25E512 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615508Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8A69516E-2A57-4982-8927-3B54A0239502 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615507Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4009787311-1323077716-3638946221-1039385237 Account Name: EF007FAF-9054-4EDC-ADE9-E5D895C2F33D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25BCFD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615506Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4009787311-1323077716-3638946221-1039385237 Account Name: EF007FAF-9054-4EDC-ADE9-E5D895C2F33D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25BCFD Privileges: SeImpersonatePrivilege467200125480-921436483760003481615505Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4009787311-1323077716-3638946221-1039385237 Account Name: EF007FAF-9054-4EDC-ADE9-E5D895C2F33D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25BCFD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615504Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EF007FAF-9054-4EDC-ADE9-E5D895C2F33D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615503Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4009787311-1323077716-3638946221-1039385237 Account Name: EF007FAF-9054-4EDC-ADE9-E5D895C2F33D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25AD31 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615502Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4009787311-1323077716-3638946221-1039385237 Account Name: EF007FAF-9054-4EDC-ADE9-E5D895C2F33D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25AE7C Privileges: SeImpersonatePrivilege467200125480-921436483760003481615501Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4009787311-1323077716-3638946221-1039385237 Account Name: EF007FAF-9054-4EDC-ADE9-E5D895C2F33D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25AE7C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615500Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EF007FAF-9054-4EDC-ADE9-E5D895C2F33D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615499Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4009787311-1323077716-3638946221-1039385237 Account Name: EF007FAF-9054-4EDC-ADE9-E5D895C2F33D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25AE23 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615498Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4009787311-1323077716-3638946221-1039385237 Account Name: EF007FAF-9054-4EDC-ADE9-E5D895C2F33D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25AE23 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615497Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4009787311-1323077716-3638946221-1039385237 Account Name: EF007FAF-9054-4EDC-ADE9-E5D895C2F33D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25AE23 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615496Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EF007FAF-9054-4EDC-ADE9-E5D895C2F33D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615495Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4009787311-1323077716-3638946221-1039385237 Account Name: EF007FAF-9054-4EDC-ADE9-E5D895C2F33D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25ADDA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615494Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4009787311-1323077716-3638946221-1039385237 Account Name: EF007FAF-9054-4EDC-ADE9-E5D895C2F33D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25ADDA Privileges: SeImpersonatePrivilege467200125480-921436483760003481615493Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4009787311-1323077716-3638946221-1039385237 Account Name: EF007FAF-9054-4EDC-ADE9-E5D895C2F33D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25ADDA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615492Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EF007FAF-9054-4EDC-ADE9-E5D895C2F33D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615491Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4009787311-1323077716-3638946221-1039385237 Account Name: EF007FAF-9054-4EDC-ADE9-E5D895C2F33D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25AD31 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615490Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:13 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4009787311-1323077716-3638946221-1039385237 Account Name: EF007FAF-9054-4EDC-ADE9-E5D895C2F33D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x25AD31 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615489Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:13 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: EF007FAF-9054-4EDC-ADE9-E5D895C2F33D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615488Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:13 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2541780006-1248598069-2856180887-1895349014 Account Name: 97807C26-1835-4A6C-97DC-3DAA16BBF870 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x257BAB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615487Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:09 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2541780006-1248598069-2856180887-1895349014 Account Name: 97807C26-1835-4A6C-97DC-3DAA16BBF870 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x257BAB Privileges: SeImpersonatePrivilege467200125480-921436483760003481615486Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:09 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2541780006-1248598069-2856180887-1895349014 Account Name: 97807C26-1835-4A6C-97DC-3DAA16BBF870 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x257BAB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615485Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:09 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 97807C26-1835-4A6C-97DC-3DAA16BBF870 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615484Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:09 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2541780006-1248598069-2856180887-1895349014 Account Name: 97807C26-1835-4A6C-97DC-3DAA16BBF870 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x256D25 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615483Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:09 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2541780006-1248598069-2856180887-1895349014 Account Name: 97807C26-1835-4A6C-97DC-3DAA16BBF870 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x256E6C Privileges: SeImpersonatePrivilege467200125480-921436483760003481615482Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:09 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2541780006-1248598069-2856180887-1895349014 Account Name: 97807C26-1835-4A6C-97DC-3DAA16BBF870 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x256E6C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615481Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:09 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 97807C26-1835-4A6C-97DC-3DAA16BBF870 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615480Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:09 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2541780006-1248598069-2856180887-1895349014 Account Name: 97807C26-1835-4A6C-97DC-3DAA16BBF870 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x256E13 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615479Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:09 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2541780006-1248598069-2856180887-1895349014 Account Name: 97807C26-1835-4A6C-97DC-3DAA16BBF870 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x256E13 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615478Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:09 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2541780006-1248598069-2856180887-1895349014 Account Name: 97807C26-1835-4A6C-97DC-3DAA16BBF870 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x256E13 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615477Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:09 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 97807C26-1835-4A6C-97DC-3DAA16BBF870 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615476Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:09 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2541780006-1248598069-2856180887-1895349014 Account Name: 97807C26-1835-4A6C-97DC-3DAA16BBF870 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x256DCA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615475Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:09 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2541780006-1248598069-2856180887-1895349014 Account Name: 97807C26-1835-4A6C-97DC-3DAA16BBF870 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x256DCA Privileges: SeImpersonatePrivilege467200125480-921436483760003481615474Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:09 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2541780006-1248598069-2856180887-1895349014 Account Name: 97807C26-1835-4A6C-97DC-3DAA16BBF870 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x256DCA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615473Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:09 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 97807C26-1835-4A6C-97DC-3DAA16BBF870 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615472Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:09 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2541780006-1248598069-2856180887-1895349014 Account Name: 97807C26-1835-4A6C-97DC-3DAA16BBF870 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x256D25 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615471Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:08 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2541780006-1248598069-2856180887-1895349014 Account Name: 97807C26-1835-4A6C-97DC-3DAA16BBF870 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x256D25 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615470Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:08 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 97807C26-1835-4A6C-97DC-3DAA16BBF870 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615469Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:54:08 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2626754282-1273359656-2298677151-2930123913 Account Name: 9C9116EA-ED28-4BE5-9F07-03898924A6AE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24AEF0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615468Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:50 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2626754282-1273359656-2298677151-2930123913 Account Name: 9C9116EA-ED28-4BE5-9F07-03898924A6AE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24F21A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615467Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:44 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2626754282-1273359656-2298677151-2930123913 Account Name: 9C9116EA-ED28-4BE5-9F07-03898924A6AE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24F21A Privileges: SeImpersonatePrivilege467200125480-921436483760003481615466Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:44 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2626754282-1273359656-2298677151-2930123913 Account Name: 9C9116EA-ED28-4BE5-9F07-03898924A6AE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24F21A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615465Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:44 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9C9116EA-ED28-4BE5-9F07-03898924A6AE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615464Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:44 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x24DFA2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C30079DC-2A54-3B58-01D5-4EEAC371F87E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57906 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615463Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:41 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x24DFA2 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615462Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:41 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2626754282-1273359656-2298677151-2930123913 Account Name: 9C9116EA-ED28-4BE5-9F07-03898924A6AE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24BC46 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615461Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:35 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2626754282-1273359656-2298677151-2930123913 Account Name: 9C9116EA-ED28-4BE5-9F07-03898924A6AE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24BC46 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615460Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2626754282-1273359656-2298677151-2930123913 Account Name: 9C9116EA-ED28-4BE5-9F07-03898924A6AE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24BC46 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615459Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9C9116EA-ED28-4BE5-9F07-03898924A6AE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615458Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2626754282-1273359656-2298677151-2930123913 Account Name: 9C9116EA-ED28-4BE5-9F07-03898924A6AE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24ADA8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615457Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:34 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2626754282-1273359656-2298677151-2930123913 Account Name: 9C9116EA-ED28-4BE5-9F07-03898924A6AE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24AEF0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615456Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2626754282-1273359656-2298677151-2930123913 Account Name: 9C9116EA-ED28-4BE5-9F07-03898924A6AE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24AEF0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615455Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9C9116EA-ED28-4BE5-9F07-03898924A6AE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615454Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2626754282-1273359656-2298677151-2930123913 Account Name: 9C9116EA-ED28-4BE5-9F07-03898924A6AE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24AE97 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615453Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:34 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2626754282-1273359656-2298677151-2930123913 Account Name: 9C9116EA-ED28-4BE5-9F07-03898924A6AE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24AE97 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615452Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2626754282-1273359656-2298677151-2930123913 Account Name: 9C9116EA-ED28-4BE5-9F07-03898924A6AE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24AE97 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615451Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9C9116EA-ED28-4BE5-9F07-03898924A6AE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615450Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2626754282-1273359656-2298677151-2930123913 Account Name: 9C9116EA-ED28-4BE5-9F07-03898924A6AE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24AE4E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615449Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:34 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2626754282-1273359656-2298677151-2930123913 Account Name: 9C9116EA-ED28-4BE5-9F07-03898924A6AE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24AE4E Privileges: SeImpersonatePrivilege467200125480-921436483760003481615448Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2626754282-1273359656-2298677151-2930123913 Account Name: 9C9116EA-ED28-4BE5-9F07-03898924A6AE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24AE4E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615447Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9C9116EA-ED28-4BE5-9F07-03898924A6AE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615446Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2626754282-1273359656-2298677151-2930123913 Account Name: 9C9116EA-ED28-4BE5-9F07-03898924A6AE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24ADA8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615445Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2626754282-1273359656-2298677151-2930123913 Account Name: 9C9116EA-ED28-4BE5-9F07-03898924A6AE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x24ADA8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615444Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9C9116EA-ED28-4BE5-9F07-03898924A6AE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615443Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2267047090-1104846703-386495136-3100819091 Account Name: 872064B2-9F6F-41DA-A072-091793BED2B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23C469 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615442Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:15 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2267047090-1104846703-386495136-3100819091 Account Name: 872064B2-9F6F-41DA-A072-091793BED2B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x242C53 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615441Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:11 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2267047090-1104846703-386495136-3100819091 Account Name: 872064B2-9F6F-41DA-A072-091793BED2B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x242C53 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615440Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:11 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2267047090-1104846703-386495136-3100819091 Account Name: 872064B2-9F6F-41DA-A072-091793BED2B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x242C53 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615439Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:11 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 872064B2-9F6F-41DA-A072-091793BED2B8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615438Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:11 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2322157934-1233267287-1413162889-43328416 Account Name: 8A69516E-2A57-4982-8927-3B54A0239502 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23F037 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615437Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:04 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2322157934-1233267287-1413162889-43328416 Account Name: 8A69516E-2A57-4982-8927-3B54A0239502 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23F037 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615436Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:04 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2322157934-1233267287-1413162889-43328416 Account Name: 8A69516E-2A57-4982-8927-3B54A0239502 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23F037 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615435Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:04 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8A69516E-2A57-4982-8927-3B54A0239502 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615434Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:04 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2267047090-1104846703-386495136-3100819091 Account Name: 872064B2-9F6F-41DA-A072-091793BED2B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23D1CF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615433Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:02 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2267047090-1104846703-386495136-3100819091 Account Name: 872064B2-9F6F-41DA-A072-091793BED2B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23D1CF Privileges: SeImpersonatePrivilege467200125480-921436483760003481615432Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:02 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2267047090-1104846703-386495136-3100819091 Account Name: 872064B2-9F6F-41DA-A072-091793BED2B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23D1CF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615431Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:02 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 872064B2-9F6F-41DA-A072-091793BED2B8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615430Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:02 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2267047090-1104846703-386495136-3100819091 Account Name: 872064B2-9F6F-41DA-A072-091793BED2B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23C322 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615429Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:02 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2267047090-1104846703-386495136-3100819091 Account Name: 872064B2-9F6F-41DA-A072-091793BED2B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23C469 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615428Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:02 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2267047090-1104846703-386495136-3100819091 Account Name: 872064B2-9F6F-41DA-A072-091793BED2B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23C469 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615427Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:02 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 872064B2-9F6F-41DA-A072-091793BED2B8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615426Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:02 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2267047090-1104846703-386495136-3100819091 Account Name: 872064B2-9F6F-41DA-A072-091793BED2B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23C410 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615425Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:02 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2267047090-1104846703-386495136-3100819091 Account Name: 872064B2-9F6F-41DA-A072-091793BED2B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23C410 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615424Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:02 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2267047090-1104846703-386495136-3100819091 Account Name: 872064B2-9F6F-41DA-A072-091793BED2B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23C410 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615423Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:02 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 872064B2-9F6F-41DA-A072-091793BED2B8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615422Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:02 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2267047090-1104846703-386495136-3100819091 Account Name: 872064B2-9F6F-41DA-A072-091793BED2B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23C3C7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615421Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:02 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2267047090-1104846703-386495136-3100819091 Account Name: 872064B2-9F6F-41DA-A072-091793BED2B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23C3C7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615420Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:02 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2267047090-1104846703-386495136-3100819091 Account Name: 872064B2-9F6F-41DA-A072-091793BED2B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23C3C7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615419Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:02 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 872064B2-9F6F-41DA-A072-091793BED2B8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615418Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:02 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2267047090-1104846703-386495136-3100819091 Account Name: 872064B2-9F6F-41DA-A072-091793BED2B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23C322 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615417Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:02 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2267047090-1104846703-386495136-3100819091 Account Name: 872064B2-9F6F-41DA-A072-091793BED2B8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23C322 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615416Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:02 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 872064B2-9F6F-41DA-A072-091793BED2B8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615415Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:53:02 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x20BC52 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615414Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1F9CCC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615413Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2322157934-1233267287-1413162889-43328416 Account Name: 8A69516E-2A57-4982-8927-3B54A0239502 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x238F1B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615412Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:53 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2322157934-1233267287-1413162889-43328416 Account Name: 8A69516E-2A57-4982-8927-3B54A0239502 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x238F1B Privileges: SeImpersonatePrivilege467200125480-921436483760003481615411Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:53 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2322157934-1233267287-1413162889-43328416 Account Name: 8A69516E-2A57-4982-8927-3B54A0239502 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x238F1B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615410Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:53 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8A69516E-2A57-4982-8927-3B54A0239502 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615409Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:53 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2322157934-1233267287-1413162889-43328416 Account Name: 8A69516E-2A57-4982-8927-3B54A0239502 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2380E5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615408Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:53 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2322157934-1233267287-1413162889-43328416 Account Name: 8A69516E-2A57-4982-8927-3B54A0239502 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x238230 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615407Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:53 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2322157934-1233267287-1413162889-43328416 Account Name: 8A69516E-2A57-4982-8927-3B54A0239502 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x238230 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615406Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:53 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8A69516E-2A57-4982-8927-3B54A0239502 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615405Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:53 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2322157934-1233267287-1413162889-43328416 Account Name: 8A69516E-2A57-4982-8927-3B54A0239502 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2381D3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615404Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:53 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2322157934-1233267287-1413162889-43328416 Account Name: 8A69516E-2A57-4982-8927-3B54A0239502 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2381D3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615403Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:53 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2322157934-1233267287-1413162889-43328416 Account Name: 8A69516E-2A57-4982-8927-3B54A0239502 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2381D3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615402Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:53 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8A69516E-2A57-4982-8927-3B54A0239502 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615401Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:53 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2322157934-1233267287-1413162889-43328416 Account Name: 8A69516E-2A57-4982-8927-3B54A0239502 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23818A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615400Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:53 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2322157934-1233267287-1413162889-43328416 Account Name: 8A69516E-2A57-4982-8927-3B54A0239502 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23818A Privileges: SeImpersonatePrivilege467200125480-921436483760003481615399Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:53 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2322157934-1233267287-1413162889-43328416 Account Name: 8A69516E-2A57-4982-8927-3B54A0239502 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x23818A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615398Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:53 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8A69516E-2A57-4982-8927-3B54A0239502 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615397Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:53 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2322157934-1233267287-1413162889-43328416 Account Name: 8A69516E-2A57-4982-8927-3B54A0239502 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2380E5 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615396Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:53 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2322157934-1233267287-1413162889-43328416 Account Name: 8A69516E-2A57-4982-8927-3B54A0239502 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2380E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615395Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:53 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8A69516E-2A57-4982-8927-3B54A0239502 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615394Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:53 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3706568129-1238326408-3432454590-3560467080 Account Name: DCEDBDC1-5C88-49CF-BE19-97CC886A38D4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A3FA1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615393Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:45 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2846464153-1190693240-2087956623-2562824786 Account Name: A9A99899-8978-46F8-8FB0-737C529AC198 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A1BDE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615392Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:43 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-353535759-1108631843-1828263580-327764826 Account Name: 1512870F-6123-4214-9C16-F96C5A4B8913 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22EF11 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615391Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:40 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-353535759-1108631843-1828263580-327764826 Account Name: 1512870F-6123-4214-9C16-F96C5A4B8913 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22EF11 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615390Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:40 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-353535759-1108631843-1828263580-327764826 Account Name: 1512870F-6123-4214-9C16-F96C5A4B8913 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x22EF11 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615389Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:40 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1512870F-6123-4214-9C16-F96C5A4B8913 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615388Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:40 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1449034469-1128640649-3455523456-1590101807 Account Name: 565E82E5-B089-4345-801A-F7CD2F07C75E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1BFCB2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615387Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:32 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-353535759-1108631843-1828263580-327764826 Account Name: 1512870F-6123-4214-9C16-F96C5A4B8913 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x225C40 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615386Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:30 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-353535759-1108631843-1828263580-327764826 Account Name: 1512870F-6123-4214-9C16-F96C5A4B8913 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x225C40 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615385Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:30 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-353535759-1108631843-1828263580-327764826 Account Name: 1512870F-6123-4214-9C16-F96C5A4B8913 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x225C40 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615384Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:30 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1512870F-6123-4214-9C16-F96C5A4B8913 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615383Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:30 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-353535759-1108631843-1828263580-327764826 Account Name: 1512870F-6123-4214-9C16-F96C5A4B8913 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x224D68 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615382Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:30 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-353535759-1108631843-1828263580-327764826 Account Name: 1512870F-6123-4214-9C16-F96C5A4B8913 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x224EB4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615381Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:30 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-353535759-1108631843-1828263580-327764826 Account Name: 1512870F-6123-4214-9C16-F96C5A4B8913 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x224EB4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615380Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:30 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1512870F-6123-4214-9C16-F96C5A4B8913 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615379Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:30 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-353535759-1108631843-1828263580-327764826 Account Name: 1512870F-6123-4214-9C16-F96C5A4B8913 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x224E5B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615378Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:30 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-353535759-1108631843-1828263580-327764826 Account Name: 1512870F-6123-4214-9C16-F96C5A4B8913 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x224E5B Privileges: SeImpersonatePrivilege467200125480-921436483760003481615377Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:30 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-353535759-1108631843-1828263580-327764826 Account Name: 1512870F-6123-4214-9C16-F96C5A4B8913 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x224E5B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615376Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:30 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1512870F-6123-4214-9C16-F96C5A4B8913 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615375Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:30 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-353535759-1108631843-1828263580-327764826 Account Name: 1512870F-6123-4214-9C16-F96C5A4B8913 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x224E12 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615374Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:30 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-353535759-1108631843-1828263580-327764826 Account Name: 1512870F-6123-4214-9C16-F96C5A4B8913 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x224E12 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615373Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:30 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-353535759-1108631843-1828263580-327764826 Account Name: 1512870F-6123-4214-9C16-F96C5A4B8913 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x224E12 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615372Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:30 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1512870F-6123-4214-9C16-F96C5A4B8913 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615371Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:30 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-353535759-1108631843-1828263580-327764826 Account Name: 1512870F-6123-4214-9C16-F96C5A4B8913 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x224D68 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615370Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:30 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-353535759-1108631843-1828263580-327764826 Account Name: 1512870F-6123-4214-9C16-F96C5A4B8913 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x224D68 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615369Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:30 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 1512870F-6123-4214-9C16-F96C5A4B8913 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615368Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:30 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1FA53E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615367Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1FA529 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615366Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1FA512 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615365Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1FA464 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615364Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1FA44F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615363Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1FA438 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615362Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1FA2A1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615361Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1FA28C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615360Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1FA275 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615359Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1F9E46 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615358Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1F9E08 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615357Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1F9D3B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615356Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1F9D26 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615355Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1FA564 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615354Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1FA5C5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615353Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1F9D0F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615352Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1FA48A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615351Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1FA2CB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615350Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1F9CFE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615349Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1FA141 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615348Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1F9F67 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615347Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1F9D57 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615346Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-962655418-1100080598-2842314152-3880147251 Account Name: 3960F4BA-E5D6-4191-A845-6AA9335946E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E20FC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615345Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:27 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3691439951-1279388568-3094206398-495919118 Account Name: DC06E74F-EB98-4C41-BED7-6DB80E208F1D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FEAEC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615344Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:20 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3606009418-1125956595-206267523-2586204489 Account Name: D6EF564A-BBF3-431C-8364-4B0C4959269A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C71F2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615343Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:52:12 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2364916346-1132714564-1113583789-2944027671 Account Name: 8CF5C27A-DA44-4383-ADF0-5F42174C7AAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F468F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615342Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:53 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x20BC52 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {C30079DC-2A54-3B58-01D5-4EEAC371F87E} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57753 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615341Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:40 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x20BC52 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615340Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:40 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3691439951-1279388568-3094206398-495919118 Account Name: DC06E74F-EB98-4C41-BED7-6DB80E208F1D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x209A94 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615339Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:37 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3691439951-1279388568-3094206398-495919118 Account Name: DC06E74F-EB98-4C41-BED7-6DB80E208F1D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x209A94 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615338Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:37 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3691439951-1279388568-3094206398-495919118 Account Name: DC06E74F-EB98-4C41-BED7-6DB80E208F1D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x209A94 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615337Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:37 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DC06E74F-EB98-4C41-BED7-6DB80E208F1D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615336Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:37 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-162979030-1161980772-492251537-1098519227 Account Name: 09B6DCD6-6B64-4542-9129-571DBB127A41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D6A32 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615335Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:35 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-162979030-1161980772-492251537-1098519227 Account Name: 09B6DCD6-6B64-4542-9129-571DBB127A41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2079FD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615334Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:35 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-162979030-1161980772-492251537-1098519227 Account Name: 09B6DCD6-6B64-4542-9129-571DBB127A41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2079FD Privileges: SeImpersonatePrivilege467200125480-921436483760003481615333Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-162979030-1161980772-492251537-1098519227 Account Name: 09B6DCD6-6B64-4542-9129-571DBB127A41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x2079FD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615332Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 09B6DCD6-6B64-4542-9129-571DBB127A41 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615331Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2558510797-1190141300-3649845155-1653764886 Account Name: 987FC6CD-1D74-46F0-A337-8CD916739262 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F28D8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615330Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:33 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3691439951-1279388568-3094206398-495919118 Account Name: DC06E74F-EB98-4C41-BED7-6DB80E208F1D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FFBD3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615329Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:30 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3691439951-1279388568-3094206398-495919118 Account Name: DC06E74F-EB98-4C41-BED7-6DB80E208F1D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FFBD3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615328Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:30 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3691439951-1279388568-3094206398-495919118 Account Name: DC06E74F-EB98-4C41-BED7-6DB80E208F1D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FFBD3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615327Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:30 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DC06E74F-EB98-4C41-BED7-6DB80E208F1D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615326Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:30 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3691439951-1279388568-3094206398-495919118 Account Name: DC06E74F-EB98-4C41-BED7-6DB80E208F1D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FE5D2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615325Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:29 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3691439951-1279388568-3094206398-495919118 Account Name: DC06E74F-EB98-4C41-BED7-6DB80E208F1D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FEAEC Privileges: SeImpersonatePrivilege467200125480-921436483760003481615324Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:29 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3691439951-1279388568-3094206398-495919118 Account Name: DC06E74F-EB98-4C41-BED7-6DB80E208F1D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FEAEC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615323Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:29 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DC06E74F-EB98-4C41-BED7-6DB80E208F1D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615322Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:29 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3691439951-1279388568-3094206398-495919118 Account Name: DC06E74F-EB98-4C41-BED7-6DB80E208F1D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FEA93 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615321Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:29 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3691439951-1279388568-3094206398-495919118 Account Name: DC06E74F-EB98-4C41-BED7-6DB80E208F1D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FEA93 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615320Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:29 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3691439951-1279388568-3094206398-495919118 Account Name: DC06E74F-EB98-4C41-BED7-6DB80E208F1D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FEA93 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615319Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:29 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DC06E74F-EB98-4C41-BED7-6DB80E208F1D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615318Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:29 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3691439951-1279388568-3094206398-495919118 Account Name: DC06E74F-EB98-4C41-BED7-6DB80E208F1D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FE8B6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615317Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:29 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3691439951-1279388568-3094206398-495919118 Account Name: DC06E74F-EB98-4C41-BED7-6DB80E208F1D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FE8B6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615316Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:29 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3691439951-1279388568-3094206398-495919118 Account Name: DC06E74F-EB98-4C41-BED7-6DB80E208F1D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FE8B6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615315Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:29 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DC06E74F-EB98-4C41-BED7-6DB80E208F1D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615314Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:29 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3691439951-1279388568-3094206398-495919118 Account Name: DC06E74F-EB98-4C41-BED7-6DB80E208F1D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FE5D2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615313Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:29 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3691439951-1279388568-3094206398-495919118 Account Name: DC06E74F-EB98-4C41-BED7-6DB80E208F1D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FE5D2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615312Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:29 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DC06E74F-EB98-4C41-BED7-6DB80E208F1D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615311Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:29 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2364916346-1132714564-1113583789-2944027671 Account Name: 8CF5C27A-DA44-4383-ADF0-5F42174C7AAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FDE72 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615310Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:29 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2364916346-1132714564-1113583789-2944027671 Account Name: 8CF5C27A-DA44-4383-ADF0-5F42174C7AAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FDE72 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615309Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:29 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2364916346-1132714564-1113583789-2944027671 Account Name: 8CF5C27A-DA44-4383-ADF0-5F42174C7AAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FDE72 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615308Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:29 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8CF5C27A-DA44-4383-ADF0-5F42174C7AAF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615307Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:29 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2558510797-1190141300-3649845155-1653764886 Account Name: 987FC6CD-1D74-46F0-A337-8CD916739262 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FB731 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615306Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2558510797-1190141300-3649845155-1653764886 Account Name: 987FC6CD-1D74-46F0-A337-8CD916739262 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FB731 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615305Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:28 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2558510797-1190141300-3649845155-1653764886 Account Name: 987FC6CD-1D74-46F0-A337-8CD916739262 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1FB731 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615304Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:28 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 987FC6CD-1D74-46F0-A337-8CD916739262 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615303Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:28 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x1FA5C5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57755 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615302Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1FA5C5 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615301Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x1FA564 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57755 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615300Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1FA564 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615299Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x1FA53E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57754 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615298Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1FA53E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615297Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x1FA529 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57754 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615296Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1FA529 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615295Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x1FA512 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57754 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615294Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1FA512 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615293Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x1FA48A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57755 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615292Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1FA48A Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615291Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x1FA464 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57754 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615290Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1FA464 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615289Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x1FA44F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57754 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615288Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1FA44F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615287Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x1FA438 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57754 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615286Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1FA438 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615285Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x1FA2CB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57755 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615284Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1FA2CB Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615283Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x1FA2A1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57754 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615282Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1FA2A1 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615281Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x1FA28C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57754 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615280Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1FA28C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615279Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x1FA275 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57754 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615278Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1FA275 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615277Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x1FA141 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57755 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615276Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1FA141 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615275Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x1F9F67 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57755 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615274Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1F9F67 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615273Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x1F9E46 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57754 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615272Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1F9E46 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615271Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x1F9E08 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57754 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615270Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1F9E08 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615269Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x1F9D57 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57755 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615268Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1F9D57 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615267Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x1F9D3B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57754 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615266Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1F9D3B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615265Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x1F9D26 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57754 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615264Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1F9D26 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615263Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x1F9D0F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57754 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615262Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1F9D0F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615261Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x1F9CFE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57754 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615260Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1F9CFE Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615259Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x1F9CCC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57753 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615258Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1F9CCC Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615257Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1EE00C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615256Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:20 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2364916346-1132714564-1113583789-2944027671 Account Name: 8CF5C27A-DA44-4383-ADF0-5F42174C7AAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F550E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615255Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:19 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2364916346-1132714564-1113583789-2944027671 Account Name: 8CF5C27A-DA44-4383-ADF0-5F42174C7AAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F550E Privileges: SeImpersonatePrivilege467200125480-921436483760003481615254Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2364916346-1132714564-1113583789-2944027671 Account Name: 8CF5C27A-DA44-4383-ADF0-5F42174C7AAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F550E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615253Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8CF5C27A-DA44-4383-ADF0-5F42174C7AAF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615252Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2364916346-1132714564-1113583789-2944027671 Account Name: 8CF5C27A-DA44-4383-ADF0-5F42174C7AAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F44B1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615251Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:19 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2364916346-1132714564-1113583789-2944027671 Account Name: 8CF5C27A-DA44-4383-ADF0-5F42174C7AAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F468F Privileges: SeImpersonatePrivilege467200125480-921436483760003481615250Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2364916346-1132714564-1113583789-2944027671 Account Name: 8CF5C27A-DA44-4383-ADF0-5F42174C7AAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F468F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615249Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8CF5C27A-DA44-4383-ADF0-5F42174C7AAF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615248Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2364916346-1132714564-1113583789-2944027671 Account Name: 8CF5C27A-DA44-4383-ADF0-5F42174C7AAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F4634 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615247Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:19 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2364916346-1132714564-1113583789-2944027671 Account Name: 8CF5C27A-DA44-4383-ADF0-5F42174C7AAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F4634 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615246Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2364916346-1132714564-1113583789-2944027671 Account Name: 8CF5C27A-DA44-4383-ADF0-5F42174C7AAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F4634 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615245Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8CF5C27A-DA44-4383-ADF0-5F42174C7AAF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615244Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2364916346-1132714564-1113583789-2944027671 Account Name: 8CF5C27A-DA44-4383-ADF0-5F42174C7AAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F455E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615243Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:19 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2364916346-1132714564-1113583789-2944027671 Account Name: 8CF5C27A-DA44-4383-ADF0-5F42174C7AAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F455E Privileges: SeImpersonatePrivilege467200125480-921436483760003481615242Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2364916346-1132714564-1113583789-2944027671 Account Name: 8CF5C27A-DA44-4383-ADF0-5F42174C7AAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F455E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615241Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8CF5C27A-DA44-4383-ADF0-5F42174C7AAF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615240Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2364916346-1132714564-1113583789-2944027671 Account Name: 8CF5C27A-DA44-4383-ADF0-5F42174C7AAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F44B1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615239Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2364916346-1132714564-1113583789-2944027671 Account Name: 8CF5C27A-DA44-4383-ADF0-5F42174C7AAF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F44B1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615238Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8CF5C27A-DA44-4383-ADF0-5F42174C7AAF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615237Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2558510797-1190141300-3649845155-1653764886 Account Name: 987FC6CD-1D74-46F0-A337-8CD916739262 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F3730 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615236Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:18 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2558510797-1190141300-3649845155-1653764886 Account Name: 987FC6CD-1D74-46F0-A337-8CD916739262 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F3730 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615235Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:18 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2558510797-1190141300-3649845155-1653764886 Account Name: 987FC6CD-1D74-46F0-A337-8CD916739262 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F3730 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615234Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:18 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 987FC6CD-1D74-46F0-A337-8CD916739262 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615233Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:18 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2558510797-1190141300-3649845155-1653764886 Account Name: 987FC6CD-1D74-46F0-A337-8CD916739262 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F2791 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615232Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:18 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2558510797-1190141300-3649845155-1653764886 Account Name: 987FC6CD-1D74-46F0-A337-8CD916739262 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F28D8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615231Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2558510797-1190141300-3649845155-1653764886 Account Name: 987FC6CD-1D74-46F0-A337-8CD916739262 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F28D8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615230Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 987FC6CD-1D74-46F0-A337-8CD916739262 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615229Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2558510797-1190141300-3649845155-1653764886 Account Name: 987FC6CD-1D74-46F0-A337-8CD916739262 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F287F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615228Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:17 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2558510797-1190141300-3649845155-1653764886 Account Name: 987FC6CD-1D74-46F0-A337-8CD916739262 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F287F Privileges: SeImpersonatePrivilege467200125480-921436483760003481615227Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2558510797-1190141300-3649845155-1653764886 Account Name: 987FC6CD-1D74-46F0-A337-8CD916739262 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F287F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615226Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 987FC6CD-1D74-46F0-A337-8CD916739262 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615225Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2558510797-1190141300-3649845155-1653764886 Account Name: 987FC6CD-1D74-46F0-A337-8CD916739262 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F2836 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615224Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:17 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2558510797-1190141300-3649845155-1653764886 Account Name: 987FC6CD-1D74-46F0-A337-8CD916739262 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F2836 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615223Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2558510797-1190141300-3649845155-1653764886 Account Name: 987FC6CD-1D74-46F0-A337-8CD916739262 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F2836 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615222Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 987FC6CD-1D74-46F0-A337-8CD916739262 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615221Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2558510797-1190141300-3649845155-1653764886 Account Name: 987FC6CD-1D74-46F0-A337-8CD916739262 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F2791 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615220Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2558510797-1190141300-3649845155-1653764886 Account Name: 987FC6CD-1D74-46F0-A337-8CD916739262 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1F2791 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615219Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 987FC6CD-1D74-46F0-A337-8CD916739262 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615218Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x1EE00C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {09690AB9-87DA-CB73-BD5E-2935EA1F4C7A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57688 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615217Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1EE00C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615216Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4201760438-1187235912-5826751-2328550187 Account Name: FA71C6B6-C848-46C3-BFE8-58002BDBCA8A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D7F9F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615215Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:03 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-962655418-1100080598-2842314152-3880147251 Account Name: 3960F4BA-E5D6-4191-A845-6AA9335946E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E9917 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615214Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:02 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-962655418-1100080598-2842314152-3880147251 Account Name: 3960F4BA-E5D6-4191-A845-6AA9335946E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E9917 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615213Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:02 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-962655418-1100080598-2842314152-3880147251 Account Name: 3960F4BA-E5D6-4191-A845-6AA9335946E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E9917 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615212Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:02 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3960F4BA-E5D6-4191-A845-6AA9335946E7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615211Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:51:02 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4201760438-1187235912-5826751-2328550187 Account Name: FA71C6B6-C848-46C3-BFE8-58002BDBCA8A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E597E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615210Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:57 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4201760438-1187235912-5826751-2328550187 Account Name: FA71C6B6-C848-46C3-BFE8-58002BDBCA8A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E597E Privileges: SeImpersonatePrivilege467200125480-921436483760003481615209Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4201760438-1187235912-5826751-2328550187 Account Name: FA71C6B6-C848-46C3-BFE8-58002BDBCA8A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E597E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615208Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FA71C6B6-C848-46C3-BFE8-58002BDBCA8A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615207Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-962655418-1100080598-2842314152-3880147251 Account Name: 3960F4BA-E5D6-4191-A845-6AA9335946E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E3046 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615206Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:56 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-962655418-1100080598-2842314152-3880147251 Account Name: 3960F4BA-E5D6-4191-A845-6AA9335946E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E3046 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615205Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-962655418-1100080598-2842314152-3880147251 Account Name: 3960F4BA-E5D6-4191-A845-6AA9335946E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E3046 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615204Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3960F4BA-E5D6-4191-A845-6AA9335946E7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615203Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-962655418-1100080598-2842314152-3880147251 Account Name: 3960F4BA-E5D6-4191-A845-6AA9335946E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E1B85 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615202Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:55 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-962655418-1100080598-2842314152-3880147251 Account Name: 3960F4BA-E5D6-4191-A845-6AA9335946E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E20FC Privileges: SeImpersonatePrivilege467200125480-921436483760003481615201Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:55 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-962655418-1100080598-2842314152-3880147251 Account Name: 3960F4BA-E5D6-4191-A845-6AA9335946E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E20FC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615200Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:55 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3960F4BA-E5D6-4191-A845-6AA9335946E7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615199Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:55 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-962655418-1100080598-2842314152-3880147251 Account Name: 3960F4BA-E5D6-4191-A845-6AA9335946E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E20A3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615198Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:55 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-962655418-1100080598-2842314152-3880147251 Account Name: 3960F4BA-E5D6-4191-A845-6AA9335946E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E20A3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615197Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:55 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-962655418-1100080598-2842314152-3880147251 Account Name: 3960F4BA-E5D6-4191-A845-6AA9335946E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E20A3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615196Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:55 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3960F4BA-E5D6-4191-A845-6AA9335946E7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615195Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:55 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-962655418-1100080598-2842314152-3880147251 Account Name: 3960F4BA-E5D6-4191-A845-6AA9335946E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E1EE6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615194Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:55 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-962655418-1100080598-2842314152-3880147251 Account Name: 3960F4BA-E5D6-4191-A845-6AA9335946E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E1EE6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615193Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:55 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-962655418-1100080598-2842314152-3880147251 Account Name: 3960F4BA-E5D6-4191-A845-6AA9335946E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E1EE6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615192Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:55 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3960F4BA-E5D6-4191-A845-6AA9335946E7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615191Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:55 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-962655418-1100080598-2842314152-3880147251 Account Name: 3960F4BA-E5D6-4191-A845-6AA9335946E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E1B85 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615190Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:55 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-962655418-1100080598-2842314152-3880147251 Account Name: 3960F4BA-E5D6-4191-A845-6AA9335946E7 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E1B85 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615189Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:55 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3960F4BA-E5D6-4191-A845-6AA9335946E7 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615188Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:55 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-162979030-1161980772-492251537-1098519227 Account Name: 09B6DCD6-6B64-4542-9129-571DBB127A41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E13FC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615187Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:55 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-162979030-1161980772-492251537-1098519227 Account Name: 09B6DCD6-6B64-4542-9129-571DBB127A41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E13FC Privileges: SeImpersonatePrivilege467200125480-921436483760003481615186Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:55 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-162979030-1161980772-492251537-1098519227 Account Name: 09B6DCD6-6B64-4542-9129-571DBB127A41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1E13FC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615185Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:55 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 09B6DCD6-6B64-4542-9129-571DBB127A41 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615184Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:55 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-162979030-1161980772-492251537-1098519227 Account Name: 09B6DCD6-6B64-4542-9129-571DBB127A41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DB264 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615183Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:45 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-162979030-1161980772-492251537-1098519227 Account Name: 09B6DCD6-6B64-4542-9129-571DBB127A41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DB264 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615182Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:45 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-162979030-1161980772-492251537-1098519227 Account Name: 09B6DCD6-6B64-4542-9129-571DBB127A41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1DB264 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615181Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:45 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 09B6DCD6-6B64-4542-9129-571DBB127A41 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615180Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:45 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4201760438-1187235912-5826751-2328550187 Account Name: FA71C6B6-C848-46C3-BFE8-58002BDBCA8A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D901D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615179Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:44 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4201760438-1187235912-5826751-2328550187 Account Name: FA71C6B6-C848-46C3-BFE8-58002BDBCA8A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D901D Privileges: SeImpersonatePrivilege467200125480-921436483760003481615178Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:44 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4201760438-1187235912-5826751-2328550187 Account Name: FA71C6B6-C848-46C3-BFE8-58002BDBCA8A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D901D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615177Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:44 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FA71C6B6-C848-46C3-BFE8-58002BDBCA8A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615176Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:44 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4201760438-1187235912-5826751-2328550187 Account Name: FA71C6B6-C848-46C3-BFE8-58002BDBCA8A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D7E58 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615175Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:44 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4201760438-1187235912-5826751-2328550187 Account Name: FA71C6B6-C848-46C3-BFE8-58002BDBCA8A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D7F9F Privileges: SeImpersonatePrivilege467200125480-921436483760003481615174Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:44 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4201760438-1187235912-5826751-2328550187 Account Name: FA71C6B6-C848-46C3-BFE8-58002BDBCA8A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D7F9F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615173Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:44 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FA71C6B6-C848-46C3-BFE8-58002BDBCA8A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615172Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:44 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4201760438-1187235912-5826751-2328550187 Account Name: FA71C6B6-C848-46C3-BFE8-58002BDBCA8A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D7F46 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615171Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:44 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4201760438-1187235912-5826751-2328550187 Account Name: FA71C6B6-C848-46C3-BFE8-58002BDBCA8A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D7F46 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615170Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:44 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4201760438-1187235912-5826751-2328550187 Account Name: FA71C6B6-C848-46C3-BFE8-58002BDBCA8A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D7F46 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615169Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:44 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FA71C6B6-C848-46C3-BFE8-58002BDBCA8A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615168Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:44 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4201760438-1187235912-5826751-2328550187 Account Name: FA71C6B6-C848-46C3-BFE8-58002BDBCA8A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D7EFD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615167Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:43 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4201760438-1187235912-5826751-2328550187 Account Name: FA71C6B6-C848-46C3-BFE8-58002BDBCA8A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D7EFD Privileges: SeImpersonatePrivilege467200125480-921436483760003481615166Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:43 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4201760438-1187235912-5826751-2328550187 Account Name: FA71C6B6-C848-46C3-BFE8-58002BDBCA8A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D7EFD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615165Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:43 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FA71C6B6-C848-46C3-BFE8-58002BDBCA8A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615164Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:43 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4201760438-1187235912-5826751-2328550187 Account Name: FA71C6B6-C848-46C3-BFE8-58002BDBCA8A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D7E58 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615163Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:43 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4201760438-1187235912-5826751-2328550187 Account Name: FA71C6B6-C848-46C3-BFE8-58002BDBCA8A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D7E58 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615162Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:43 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FA71C6B6-C848-46C3-BFE8-58002BDBCA8A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615161Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:43 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-162979030-1161980772-492251537-1098519227 Account Name: 09B6DCD6-6B64-4542-9129-571DBB127A41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D68D3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615160Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:40 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-162979030-1161980772-492251537-1098519227 Account Name: 09B6DCD6-6B64-4542-9129-571DBB127A41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D6A32 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615159Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:40 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-162979030-1161980772-492251537-1098519227 Account Name: 09B6DCD6-6B64-4542-9129-571DBB127A41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D6A32 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615158Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:40 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 09B6DCD6-6B64-4542-9129-571DBB127A41 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615157Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:40 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-162979030-1161980772-492251537-1098519227 Account Name: 09B6DCD6-6B64-4542-9129-571DBB127A41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D69D9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615156Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:40 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-162979030-1161980772-492251537-1098519227 Account Name: 09B6DCD6-6B64-4542-9129-571DBB127A41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D69D9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615155Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:40 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-162979030-1161980772-492251537-1098519227 Account Name: 09B6DCD6-6B64-4542-9129-571DBB127A41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D69D9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615154Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:40 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 09B6DCD6-6B64-4542-9129-571DBB127A41 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615153Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:40 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-162979030-1161980772-492251537-1098519227 Account Name: 09B6DCD6-6B64-4542-9129-571DBB127A41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D698F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615152Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:40 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-162979030-1161980772-492251537-1098519227 Account Name: 09B6DCD6-6B64-4542-9129-571DBB127A41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D698F Privileges: SeImpersonatePrivilege467200125480-921436483760003481615151Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:40 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-162979030-1161980772-492251537-1098519227 Account Name: 09B6DCD6-6B64-4542-9129-571DBB127A41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D698F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615150Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:40 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 09B6DCD6-6B64-4542-9129-571DBB127A41 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615149Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:40 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-162979030-1161980772-492251537-1098519227 Account Name: 09B6DCD6-6B64-4542-9129-571DBB127A41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D68D3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615148Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:40 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-162979030-1161980772-492251537-1098519227 Account Name: 09B6DCD6-6B64-4542-9129-571DBB127A41 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D68D3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615147Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:40 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 09B6DCD6-6B64-4542-9129-571DBB127A41 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615146Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:40 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3606009418-1125956595-206267523-2586204489 Account Name: D6EF564A-BBF3-431C-8364-4B0C4959269A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D51B7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615145Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:39 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3606009418-1125956595-206267523-2586204489 Account Name: D6EF564A-BBF3-431C-8364-4B0C4959269A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D51B7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615144Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:39 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3606009418-1125956595-206267523-2586204489 Account Name: D6EF564A-BBF3-431C-8364-4B0C4959269A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1D51B7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615143Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:39 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D6EF564A-BBF3-431C-8364-4B0C4959269A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615142Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:39 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-238295973-1258507480-20101047-1530565334 Account Name: 0E341BA5-4CD8-4B03-B7B7-3201D6923A5B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C1A34 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615141Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:38 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1449034469-1128640649-3455523456-1590101807 Account Name: 565E82E5-B089-4345-801A-F7CD2F07C75E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1CE5A9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615140Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:35 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1449034469-1128640649-3455523456-1590101807 Account Name: 565E82E5-B089-4345-801A-F7CD2F07C75E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1CE5A9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615139Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1449034469-1128640649-3455523456-1590101807 Account Name: 565E82E5-B089-4345-801A-F7CD2F07C75E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1CE5A9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615138Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 565E82E5-B089-4345-801A-F7CD2F07C75E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615137Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-903745581-1096873632-1157261459-1514752308 Account Name: 35DE102D-F6A0-4160-9368-FA443449495A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1BADB6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615136Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:33 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1B2EDB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615135Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:31 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3606009418-1125956595-206267523-2586204489 Account Name: D6EF564A-BBF3-431C-8364-4B0C4959269A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C8023 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615134Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:30 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3606009418-1125956595-206267523-2586204489 Account Name: D6EF564A-BBF3-431C-8364-4B0C4959269A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C8023 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615133Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:30 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3606009418-1125956595-206267523-2586204489 Account Name: D6EF564A-BBF3-431C-8364-4B0C4959269A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C8023 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615132Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:30 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D6EF564A-BBF3-431C-8364-4B0C4959269A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615131Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:30 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3606009418-1125956595-206267523-2586204489 Account Name: D6EF564A-BBF3-431C-8364-4B0C4959269A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C6F43 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615130Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:30 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3606009418-1125956595-206267523-2586204489 Account Name: D6EF564A-BBF3-431C-8364-4B0C4959269A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C71F2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615129Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:29 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3606009418-1125956595-206267523-2586204489 Account Name: D6EF564A-BBF3-431C-8364-4B0C4959269A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C71F2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615128Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:29 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D6EF564A-BBF3-431C-8364-4B0C4959269A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615127Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:29 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3606009418-1125956595-206267523-2586204489 Account Name: D6EF564A-BBF3-431C-8364-4B0C4959269A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C7195 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615126Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:29 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3606009418-1125956595-206267523-2586204489 Account Name: D6EF564A-BBF3-431C-8364-4B0C4959269A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C7195 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615125Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:29 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3606009418-1125956595-206267523-2586204489 Account Name: D6EF564A-BBF3-431C-8364-4B0C4959269A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C7195 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615124Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:29 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D6EF564A-BBF3-431C-8364-4B0C4959269A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615123Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:29 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3606009418-1125956595-206267523-2586204489 Account Name: D6EF564A-BBF3-431C-8364-4B0C4959269A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C712C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615122Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:29 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3606009418-1125956595-206267523-2586204489 Account Name: D6EF564A-BBF3-431C-8364-4B0C4959269A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C712C Privileges: SeImpersonatePrivilege467200125480-921436483760003481615121Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:29 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3606009418-1125956595-206267523-2586204489 Account Name: D6EF564A-BBF3-431C-8364-4B0C4959269A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C712C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615120Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:29 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D6EF564A-BBF3-431C-8364-4B0C4959269A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615119Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:29 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3606009418-1125956595-206267523-2586204489 Account Name: D6EF564A-BBF3-431C-8364-4B0C4959269A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C6F43 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615118Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:29 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3606009418-1125956595-206267523-2586204489 Account Name: D6EF564A-BBF3-431C-8364-4B0C4959269A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C6F43 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615117Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:29 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D6EF564A-BBF3-431C-8364-4B0C4959269A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615116Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:29 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-238295973-1258507480-20101047-1530565334 Account Name: 0E341BA5-4CD8-4B03-B7B7-3201D6923A5B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C4AE2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615115Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-238295973-1258507480-20101047-1530565334 Account Name: 0E341BA5-4CD8-4B03-B7B7-3201D6923A5B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C4AE2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615114Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:28 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-238295973-1258507480-20101047-1530565334 Account Name: 0E341BA5-4CD8-4B03-B7B7-3201D6923A5B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C4AE2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615113Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:28 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0E341BA5-4CD8-4B03-B7B7-3201D6923A5B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615112Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:28 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-238295973-1258507480-20101047-1530565334 Account Name: 0E341BA5-4CD8-4B03-B7B7-3201D6923A5B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C27D0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615111Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:27 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-238295973-1258507480-20101047-1530565334 Account Name: 0E341BA5-4CD8-4B03-B7B7-3201D6923A5B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C27D0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615110Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:27 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-238295973-1258507480-20101047-1530565334 Account Name: 0E341BA5-4CD8-4B03-B7B7-3201D6923A5B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C27D0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615109Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:27 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0E341BA5-4CD8-4B03-B7B7-3201D6923A5B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615108Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:27 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-238295973-1258507480-20101047-1530565334 Account Name: 0E341BA5-4CD8-4B03-B7B7-3201D6923A5B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C18ED Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615107Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:26 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-238295973-1258507480-20101047-1530565334 Account Name: 0E341BA5-4CD8-4B03-B7B7-3201D6923A5B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C1A34 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615106Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-238295973-1258507480-20101047-1530565334 Account Name: 0E341BA5-4CD8-4B03-B7B7-3201D6923A5B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C1A34 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615105Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0E341BA5-4CD8-4B03-B7B7-3201D6923A5B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615104Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-238295973-1258507480-20101047-1530565334 Account Name: 0E341BA5-4CD8-4B03-B7B7-3201D6923A5B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C19DB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615103Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:26 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-238295973-1258507480-20101047-1530565334 Account Name: 0E341BA5-4CD8-4B03-B7B7-3201D6923A5B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C19DB Privileges: SeImpersonatePrivilege467200125480-921436483760003481615102Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-238295973-1258507480-20101047-1530565334 Account Name: 0E341BA5-4CD8-4B03-B7B7-3201D6923A5B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C19DB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615101Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0E341BA5-4CD8-4B03-B7B7-3201D6923A5B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615100Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-238295973-1258507480-20101047-1530565334 Account Name: 0E341BA5-4CD8-4B03-B7B7-3201D6923A5B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C1992 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615099Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:26 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-238295973-1258507480-20101047-1530565334 Account Name: 0E341BA5-4CD8-4B03-B7B7-3201D6923A5B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C1992 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615098Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-238295973-1258507480-20101047-1530565334 Account Name: 0E341BA5-4CD8-4B03-B7B7-3201D6923A5B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C1992 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615097Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0E341BA5-4CD8-4B03-B7B7-3201D6923A5B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615096Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-238295973-1258507480-20101047-1530565334 Account Name: 0E341BA5-4CD8-4B03-B7B7-3201D6923A5B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C18ED Privileges: SeImpersonatePrivilege467200125480-921436483760003481615095Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-238295973-1258507480-20101047-1530565334 Account Name: 0E341BA5-4CD8-4B03-B7B7-3201D6923A5B Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C18ED Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615094Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0E341BA5-4CD8-4B03-B7B7-3201D6923A5B Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615093Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1449034469-1128640649-3455523456-1590101807 Account Name: 565E82E5-B089-4345-801A-F7CD2F07C75E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C0A3A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615092Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:25 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1449034469-1128640649-3455523456-1590101807 Account Name: 565E82E5-B089-4345-801A-F7CD2F07C75E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C0A3A Privileges: SeImpersonatePrivilege467200125480-921436483760003481615091Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:25 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1449034469-1128640649-3455523456-1590101807 Account Name: 565E82E5-B089-4345-801A-F7CD2F07C75E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1C0A3A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615090Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:25 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 565E82E5-B089-4345-801A-F7CD2F07C75E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615089Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:25 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1449034469-1128640649-3455523456-1590101807 Account Name: 565E82E5-B089-4345-801A-F7CD2F07C75E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1BFB6B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615088Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1449034469-1128640649-3455523456-1590101807 Account Name: 565E82E5-B089-4345-801A-F7CD2F07C75E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1BFCB2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615087Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1449034469-1128640649-3455523456-1590101807 Account Name: 565E82E5-B089-4345-801A-F7CD2F07C75E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1BFCB2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615086Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 565E82E5-B089-4345-801A-F7CD2F07C75E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615085Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1449034469-1128640649-3455523456-1590101807 Account Name: 565E82E5-B089-4345-801A-F7CD2F07C75E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1BFC59 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615084Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1449034469-1128640649-3455523456-1590101807 Account Name: 565E82E5-B089-4345-801A-F7CD2F07C75E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1BFC59 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615083Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1449034469-1128640649-3455523456-1590101807 Account Name: 565E82E5-B089-4345-801A-F7CD2F07C75E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1BFC59 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615082Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 565E82E5-B089-4345-801A-F7CD2F07C75E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615081Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1449034469-1128640649-3455523456-1590101807 Account Name: 565E82E5-B089-4345-801A-F7CD2F07C75E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1BFC10 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615080Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1449034469-1128640649-3455523456-1590101807 Account Name: 565E82E5-B089-4345-801A-F7CD2F07C75E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1BFC10 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615079Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1449034469-1128640649-3455523456-1590101807 Account Name: 565E82E5-B089-4345-801A-F7CD2F07C75E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1BFC10 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615078Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 565E82E5-B089-4345-801A-F7CD2F07C75E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615077Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1449034469-1128640649-3455523456-1590101807 Account Name: 565E82E5-B089-4345-801A-F7CD2F07C75E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1BFB6B Privileges: SeImpersonatePrivilege467200125480-921436483760003481615076Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1449034469-1128640649-3455523456-1590101807 Account Name: 565E82E5-B089-4345-801A-F7CD2F07C75E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1BFB6B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615075Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 565E82E5-B089-4345-801A-F7CD2F07C75E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615074Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-903745581-1096873632-1157261459-1514752308 Account Name: 35DE102D-F6A0-4160-9368-FA443449495A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1BCE65 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615073Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:17 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-903745581-1096873632-1157261459-1514752308 Account Name: 35DE102D-F6A0-4160-9368-FA443449495A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1BCE65 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615072Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-903745581-1096873632-1157261459-1514752308 Account Name: 35DE102D-F6A0-4160-9368-FA443449495A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1BCE65 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615071Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 35DE102D-F6A0-4160-9368-FA443449495A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615070Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-903745581-1096873632-1157261459-1514752308 Account Name: 35DE102D-F6A0-4160-9368-FA443449495A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1BBBFC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615069Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:16 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-903745581-1096873632-1157261459-1514752308 Account Name: 35DE102D-F6A0-4160-9368-FA443449495A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1BBBFC Privileges: SeImpersonatePrivilege467200125480-921436483760003481615068Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:16 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-903745581-1096873632-1157261459-1514752308 Account Name: 35DE102D-F6A0-4160-9368-FA443449495A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1BBBFC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615067Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:16 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 35DE102D-F6A0-4160-9368-FA443449495A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615066Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:16 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-903745581-1096873632-1157261459-1514752308 Account Name: 35DE102D-F6A0-4160-9368-FA443449495A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1BAC6F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615065Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:16 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-903745581-1096873632-1157261459-1514752308 Account Name: 35DE102D-F6A0-4160-9368-FA443449495A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1BADB6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615064Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:16 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-903745581-1096873632-1157261459-1514752308 Account Name: 35DE102D-F6A0-4160-9368-FA443449495A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1BADB6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615063Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:16 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 35DE102D-F6A0-4160-9368-FA443449495A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615062Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:16 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-903745581-1096873632-1157261459-1514752308 Account Name: 35DE102D-F6A0-4160-9368-FA443449495A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1BAD5D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615061Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:16 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-903745581-1096873632-1157261459-1514752308 Account Name: 35DE102D-F6A0-4160-9368-FA443449495A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1BAD5D Privileges: SeImpersonatePrivilege467200125480-921436483760003481615060Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:16 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-903745581-1096873632-1157261459-1514752308 Account Name: 35DE102D-F6A0-4160-9368-FA443449495A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1BAD5D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615059Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:16 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 35DE102D-F6A0-4160-9368-FA443449495A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615058Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:16 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-903745581-1096873632-1157261459-1514752308 Account Name: 35DE102D-F6A0-4160-9368-FA443449495A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1BAD14 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615057Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:16 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-903745581-1096873632-1157261459-1514752308 Account Name: 35DE102D-F6A0-4160-9368-FA443449495A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1BAD14 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615056Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:16 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-903745581-1096873632-1157261459-1514752308 Account Name: 35DE102D-F6A0-4160-9368-FA443449495A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1BAD14 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615055Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:16 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 35DE102D-F6A0-4160-9368-FA443449495A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615054Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:16 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-903745581-1096873632-1157261459-1514752308 Account Name: 35DE102D-F6A0-4160-9368-FA443449495A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1BAC6F Privileges: SeImpersonatePrivilege467200125480-921436483760003481615053Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:16 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-903745581-1096873632-1157261459-1514752308 Account Name: 35DE102D-F6A0-4160-9368-FA443449495A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1BAC6F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615052Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:16 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 35DE102D-F6A0-4160-9368-FA443449495A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615051Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:16 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4158651612-1265697313-1634396304-3599019875 Account Name: F7DFFCDC-0221-4B71-90E8-6A6163AF84D6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AD4F4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615050Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:50:02 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1B2F23 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615049Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:59 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1B2F24 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615048Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:59 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1B2F23 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-858383-10 Source Network Address: 10.222.0.13 Source Port: 57609 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615047Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:59 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1B2F23 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615046Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:59 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1B2F24 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-858383-10 Source Network Address: 10.222.0.13 Source Port: 57610 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615045Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:59 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1B2F24 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615044Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:59 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1B2F21 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615043Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:59 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1B2F21 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-858383-10 Source Network Address: 10.222.0.13 Source Port: 57608 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615042Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:59 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1B2F21 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615041Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:59 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1B2EDB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-858383-10 Source Network Address: 10.222.0.13 Source Port: 57607 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615040Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:59 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1B2EDB Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481615039Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:59 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4158651612-1265697313-1634396304-3599019875 Account Name: F7DFFCDC-0221-4B71-90E8-6A6163AF84D6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1B1603 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615038Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:55 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4158651612-1265697313-1634396304-3599019875 Account Name: F7DFFCDC-0221-4B71-90E8-6A6163AF84D6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1B1603 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615037Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:55 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4158651612-1265697313-1634396304-3599019875 Account Name: F7DFFCDC-0221-4B71-90E8-6A6163AF84D6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1B1603 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615036Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:55 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F7DFFCDC-0221-4B71-90E8-6A6163AF84D6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615035Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:55 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x198BC4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615034Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4158651612-1265697313-1634396304-3599019875 Account Name: F7DFFCDC-0221-4B71-90E8-6A6163AF84D6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AE23B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615033Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:46 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4158651612-1265697313-1634396304-3599019875 Account Name: F7DFFCDC-0221-4B71-90E8-6A6163AF84D6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AE23B Privileges: SeImpersonatePrivilege467200125480-921436483760003481615032Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:46 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4158651612-1265697313-1634396304-3599019875 Account Name: F7DFFCDC-0221-4B71-90E8-6A6163AF84D6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AE23B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615031Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:46 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F7DFFCDC-0221-4B71-90E8-6A6163AF84D6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615030Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:46 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4158651612-1265697313-1634396304-3599019875 Account Name: F7DFFCDC-0221-4B71-90E8-6A6163AF84D6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AD3AD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615029Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:46 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4158651612-1265697313-1634396304-3599019875 Account Name: F7DFFCDC-0221-4B71-90E8-6A6163AF84D6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AD4F4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615028Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:46 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4158651612-1265697313-1634396304-3599019875 Account Name: F7DFFCDC-0221-4B71-90E8-6A6163AF84D6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AD4F4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615027Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:46 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F7DFFCDC-0221-4B71-90E8-6A6163AF84D6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615026Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:46 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4158651612-1265697313-1634396304-3599019875 Account Name: F7DFFCDC-0221-4B71-90E8-6A6163AF84D6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AD49B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615025Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:46 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4158651612-1265697313-1634396304-3599019875 Account Name: F7DFFCDC-0221-4B71-90E8-6A6163AF84D6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AD49B Privileges: SeImpersonatePrivilege467200125480-921436483760003481615024Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:46 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4158651612-1265697313-1634396304-3599019875 Account Name: F7DFFCDC-0221-4B71-90E8-6A6163AF84D6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AD49B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615023Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:46 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F7DFFCDC-0221-4B71-90E8-6A6163AF84D6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615022Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:46 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4158651612-1265697313-1634396304-3599019875 Account Name: F7DFFCDC-0221-4B71-90E8-6A6163AF84D6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AD452 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615021Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:46 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4158651612-1265697313-1634396304-3599019875 Account Name: F7DFFCDC-0221-4B71-90E8-6A6163AF84D6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AD452 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615020Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:46 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4158651612-1265697313-1634396304-3599019875 Account Name: F7DFFCDC-0221-4B71-90E8-6A6163AF84D6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AD452 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615019Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:46 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F7DFFCDC-0221-4B71-90E8-6A6163AF84D6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615018Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:46 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4158651612-1265697313-1634396304-3599019875 Account Name: F7DFFCDC-0221-4B71-90E8-6A6163AF84D6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AD3AD Privileges: SeImpersonatePrivilege467200125480-921436483760003481615017Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:46 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4158651612-1265697313-1634396304-3599019875 Account Name: F7DFFCDC-0221-4B71-90E8-6A6163AF84D6 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1AD3AD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615016Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:46 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F7DFFCDC-0221-4B71-90E8-6A6163AF84D6 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615015Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:46 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2846464153-1190693240-2087956623-2562824786 Account Name: A9A99899-8978-46F8-8FB0-737C529AC198 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1ABBDB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615014Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:44 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2846464153-1190693240-2087956623-2562824786 Account Name: A9A99899-8978-46F8-8FB0-737C529AC198 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1ABBDB Privileges: SeImpersonatePrivilege467200125480-921436483760003481615013Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:44 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2846464153-1190693240-2087956623-2562824786 Account Name: A9A99899-8978-46F8-8FB0-737C529AC198 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1ABBDB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615012Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:44 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A9A99899-8978-46F8-8FB0-737C529AC198 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615011Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:44 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3706568129-1238326408-3432454590-3560467080 Account Name: DCEDBDC1-5C88-49CF-BE19-97CC886A38D4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A94B4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615010Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:42 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3706568129-1238326408-3432454590-3560467080 Account Name: DCEDBDC1-5C88-49CF-BE19-97CC886A38D4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A94B4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615009Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:42 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3706568129-1238326408-3432454590-3560467080 Account Name: DCEDBDC1-5C88-49CF-BE19-97CC886A38D4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A94B4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615008Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:42 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DCEDBDC1-5C88-49CF-BE19-97CC886A38D4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615007Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:42 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3706568129-1238326408-3432454590-3560467080 Account Name: DCEDBDC1-5C88-49CF-BE19-97CC886A38D4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A4CA1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615006Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:35 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3706568129-1238326408-3432454590-3560467080 Account Name: DCEDBDC1-5C88-49CF-BE19-97CC886A38D4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A4CA1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615005Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3706568129-1238326408-3432454590-3560467080 Account Name: DCEDBDC1-5C88-49CF-BE19-97CC886A38D4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A4CA1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615004Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DCEDBDC1-5C88-49CF-BE19-97CC886A38D4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481615003Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3706568129-1238326408-3432454590-3560467080 Account Name: DCEDBDC1-5C88-49CF-BE19-97CC886A38D4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A3E56 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481615002Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:35 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3706568129-1238326408-3432454590-3560467080 Account Name: DCEDBDC1-5C88-49CF-BE19-97CC886A38D4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A3FA1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481615001Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3706568129-1238326408-3432454590-3560467080 Account Name: DCEDBDC1-5C88-49CF-BE19-97CC886A38D4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A3FA1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481615000Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DCEDBDC1-5C88-49CF-BE19-97CC886A38D4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614999Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3706568129-1238326408-3432454590-3560467080 Account Name: DCEDBDC1-5C88-49CF-BE19-97CC886A38D4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A3F48 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614998Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:35 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3706568129-1238326408-3432454590-3560467080 Account Name: DCEDBDC1-5C88-49CF-BE19-97CC886A38D4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A3F48 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614997Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3706568129-1238326408-3432454590-3560467080 Account Name: DCEDBDC1-5C88-49CF-BE19-97CC886A38D4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A3F48 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614996Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DCEDBDC1-5C88-49CF-BE19-97CC886A38D4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614995Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3706568129-1238326408-3432454590-3560467080 Account Name: DCEDBDC1-5C88-49CF-BE19-97CC886A38D4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A3EFF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614994Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:35 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3706568129-1238326408-3432454590-3560467080 Account Name: DCEDBDC1-5C88-49CF-BE19-97CC886A38D4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A3EFF Privileges: SeImpersonatePrivilege467200125480-921436483760003481614993Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3706568129-1238326408-3432454590-3560467080 Account Name: DCEDBDC1-5C88-49CF-BE19-97CC886A38D4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A3EFF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614992Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DCEDBDC1-5C88-49CF-BE19-97CC886A38D4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614991Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3706568129-1238326408-3432454590-3560467080 Account Name: DCEDBDC1-5C88-49CF-BE19-97CC886A38D4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A3E56 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614990Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3706568129-1238326408-3432454590-3560467080 Account Name: DCEDBDC1-5C88-49CF-BE19-97CC886A38D4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A3E56 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614989Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DCEDBDC1-5C88-49CF-BE19-97CC886A38D4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614988Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2846464153-1190693240-2087956623-2562824786 Account Name: A9A99899-8978-46F8-8FB0-737C529AC198 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A29B0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614987Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:34 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2846464153-1190693240-2087956623-2562824786 Account Name: A9A99899-8978-46F8-8FB0-737C529AC198 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A29B0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614986Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2846464153-1190693240-2087956623-2562824786 Account Name: A9A99899-8978-46F8-8FB0-737C529AC198 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A29B0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614985Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A9A99899-8978-46F8-8FB0-737C529AC198 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614984Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2846464153-1190693240-2087956623-2562824786 Account Name: A9A99899-8978-46F8-8FB0-737C529AC198 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A1A96 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614983Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:34 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2846464153-1190693240-2087956623-2562824786 Account Name: A9A99899-8978-46F8-8FB0-737C529AC198 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A1BDE Privileges: SeImpersonatePrivilege467200125480-921436483760003481614982Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:33 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2846464153-1190693240-2087956623-2562824786 Account Name: A9A99899-8978-46F8-8FB0-737C529AC198 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A1BDE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614981Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:33 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A9A99899-8978-46F8-8FB0-737C529AC198 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614980Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:33 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2846464153-1190693240-2087956623-2562824786 Account Name: A9A99899-8978-46F8-8FB0-737C529AC198 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A1B85 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614979Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:33 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2846464153-1190693240-2087956623-2562824786 Account Name: A9A99899-8978-46F8-8FB0-737C529AC198 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A1B85 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614978Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:33 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2846464153-1190693240-2087956623-2562824786 Account Name: A9A99899-8978-46F8-8FB0-737C529AC198 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A1B85 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614977Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:33 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A9A99899-8978-46F8-8FB0-737C529AC198 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614976Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:33 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2846464153-1190693240-2087956623-2562824786 Account Name: A9A99899-8978-46F8-8FB0-737C529AC198 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A1B3C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614975Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:33 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2846464153-1190693240-2087956623-2562824786 Account Name: A9A99899-8978-46F8-8FB0-737C529AC198 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A1B3C Privileges: SeImpersonatePrivilege467200125480-921436483760003481614974Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:33 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2846464153-1190693240-2087956623-2562824786 Account Name: A9A99899-8978-46F8-8FB0-737C529AC198 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A1B3C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614973Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:33 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A9A99899-8978-46F8-8FB0-737C529AC198 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614972Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:33 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2846464153-1190693240-2087956623-2562824786 Account Name: A9A99899-8978-46F8-8FB0-737C529AC198 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A1A96 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614971Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:33 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2846464153-1190693240-2087956623-2562824786 Account Name: A9A99899-8978-46F8-8FB0-737C529AC198 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1A1A96 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614970Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:33 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A9A99899-8978-46F8-8FB0-737C529AC198 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614969Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:33 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x19954B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614968Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x199536 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614967Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x19951F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614966Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x19947B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614965Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x199466 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614964Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x199441 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614963Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x199299 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614962Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x199284 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614961Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x19926D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614960Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x198E7C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614959Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x198E67 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614958Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x198E50 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614957Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x198D88 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614956Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x199571 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614955Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x198D73 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614954Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x198D5C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614953Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1994A1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614952Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1992C3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614951Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x19900B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614950Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x198D4B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614949Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x198E92 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614948Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x198DA0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614947Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4228319586-1294483788-1363572621-1427341847 Account Name: FC070962-414C-4D28-8D77-465117821355 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x132519 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614946Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:26 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4228319586-1294483788-1363572621-1427341847 Account Name: FC070962-414C-4D28-8D77-465117821355 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x19D24C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614945Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:15 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4228319586-1294483788-1363572621-1427341847 Account Name: FC070962-414C-4D28-8D77-465117821355 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x19D24C Privileges: SeImpersonatePrivilege467200125480-921436483760003481614944Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4228319586-1294483788-1363572621-1427341847 Account Name: FC070962-414C-4D28-8D77-465117821355 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x19D24C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614943Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FC070962-414C-4D28-8D77-465117821355 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614942Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x199571 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57533 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614941Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x199571 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614940Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x19954B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57530 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614939Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x19954B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614938Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x199536 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57530 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614937Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x199536 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614936Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x19951F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57530 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614935Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x19951F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614934Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x1994A1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57533 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614933Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1994A1 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614932Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x19947B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57530 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614931Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x19947B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614930Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x199466 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57530 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614929Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x199466 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614928Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x199441 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57530 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614927Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x199441 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614926Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x1992C3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57533 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614925Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x1992C3 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614924Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x199299 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57530 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614923Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x199299 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614922Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x199284 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57530 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614921Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x199284 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614920Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x19926D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57530 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614919Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x19926D Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614918Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x19900B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57533 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614917Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x19900B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614916Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x198E92 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57533 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614915Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x198E92 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614914Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x198E7C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57530 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614913Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x198E7C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614912Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x198E67 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57530 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614911Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x198E67 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614910Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x198E50 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57530 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614909Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x198E50 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614908Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:05 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x198DA0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57533 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614907Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:04 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x198DA0 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614906Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:04 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x198D88 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57530 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614905Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:04 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x198D88 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614904Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:04 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x198D73 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57530 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614903Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:04 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x198D73 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614902Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:04 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x198D5C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57530 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614901Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:04 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x198D5C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614900Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:04 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x198D4B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57530 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614899Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:04 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x198D4B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614898Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:04 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x198BC4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F0E28FCD-060A-CF0B-CD04-788D685B6F2F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57528 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614897Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:04 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x198BC4 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614896Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:49:04 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3045661257-1190134136-3516264634-676309528 Account Name: B5891A49-0178-46F0-BAF0-95D118AA4F28 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x172B45 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614895Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x183370 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614894Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:39 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-866996642-1341559394-3557739673-2865852051 Account Name: 33AD51A2-9262-4FF6-99CC-0ED4936ED1AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16E1B0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614893Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:38 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-866996642-1341559394-3557739673-2865852051 Account Name: 33AD51A2-9262-4FF6-99CC-0ED4936ED1AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18F045 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614892Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:36 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-866996642-1341559394-3557739673-2865852051 Account Name: 33AD51A2-9262-4FF6-99CC-0ED4936ED1AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18F045 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614891Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:36 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-866996642-1341559394-3557739673-2865852051 Account Name: 33AD51A2-9262-4FF6-99CC-0ED4936ED1AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x18F045 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614890Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:36 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 33AD51A2-9262-4FF6-99CC-0ED4936ED1AA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614889Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:36 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1179287211-1257401340-1503212686-392357033 Account Name: 464A7EAB-6BFC-4AF2-8E34-9959A9E46217 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x183B3C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614888Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:35 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1179287211-1257401340-1503212686-392357033 Account Name: 464A7EAB-6BFC-4AF2-8E34-9959A9E46217 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x189B0C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614887Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:31 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1179287211-1257401340-1503212686-392357033 Account Name: 464A7EAB-6BFC-4AF2-8E34-9959A9E46217 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x189B0C Privileges: SeImpersonatePrivilege467200125480-921436483760003481614886Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:31 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1179287211-1257401340-1503212686-392357033 Account Name: 464A7EAB-6BFC-4AF2-8E34-9959A9E46217 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x189B0C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614885Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:31 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 464A7EAB-6BFC-4AF2-8E34-9959A9E46217 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614884Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:31 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3045661257-1190134136-3516264634-676309528 Account Name: B5891A49-0178-46F0-BAF0-95D118AA4F28 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x186C74 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614883Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:30 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3045661257-1190134136-3516264634-676309528 Account Name: B5891A49-0178-46F0-BAF0-95D118AA4F28 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x186C74 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614882Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:30 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3045661257-1190134136-3516264634-676309528 Account Name: B5891A49-0178-46F0-BAF0-95D118AA4F28 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x186C74 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614881Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:30 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B5891A49-0178-46F0-BAF0-95D118AA4F28 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614880Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:30 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1179287211-1257401340-1503212686-392357033 Account Name: 464A7EAB-6BFC-4AF2-8E34-9959A9E46217 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x184A21 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614879Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:29 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1179287211-1257401340-1503212686-392357033 Account Name: 464A7EAB-6BFC-4AF2-8E34-9959A9E46217 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x184A21 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614878Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:29 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1179287211-1257401340-1503212686-392357033 Account Name: 464A7EAB-6BFC-4AF2-8E34-9959A9E46217 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x184A21 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614877Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:29 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 464A7EAB-6BFC-4AF2-8E34-9959A9E46217 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614876Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:29 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1179287211-1257401340-1503212686-392357033 Account Name: 464A7EAB-6BFC-4AF2-8E34-9959A9E46217 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x183760 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614875Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:29 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1179287211-1257401340-1503212686-392357033 Account Name: 464A7EAB-6BFC-4AF2-8E34-9959A9E46217 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x183B3C Privileges: SeImpersonatePrivilege467200125480-921436483760003481614874Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:29 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1179287211-1257401340-1503212686-392357033 Account Name: 464A7EAB-6BFC-4AF2-8E34-9959A9E46217 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x183B3C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614873Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:29 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 464A7EAB-6BFC-4AF2-8E34-9959A9E46217 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614872Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:29 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1179287211-1257401340-1503212686-392357033 Account Name: 464A7EAB-6BFC-4AF2-8E34-9959A9E46217 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x183A19 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614871Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:29 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1179287211-1257401340-1503212686-392357033 Account Name: 464A7EAB-6BFC-4AF2-8E34-9959A9E46217 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x183A19 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614870Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:29 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1179287211-1257401340-1503212686-392357033 Account Name: 464A7EAB-6BFC-4AF2-8E34-9959A9E46217 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x183A19 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614869Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:29 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 464A7EAB-6BFC-4AF2-8E34-9959A9E46217 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614868Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:29 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1179287211-1257401340-1503212686-392357033 Account Name: 464A7EAB-6BFC-4AF2-8E34-9959A9E46217 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1839CD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614867Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:29 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1179287211-1257401340-1503212686-392357033 Account Name: 464A7EAB-6BFC-4AF2-8E34-9959A9E46217 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1839CD Privileges: SeImpersonatePrivilege467200125480-921436483760003481614866Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:29 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1179287211-1257401340-1503212686-392357033 Account Name: 464A7EAB-6BFC-4AF2-8E34-9959A9E46217 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1839CD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614865Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:29 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 464A7EAB-6BFC-4AF2-8E34-9959A9E46217 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614864Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:29 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1179287211-1257401340-1503212686-392357033 Account Name: 464A7EAB-6BFC-4AF2-8E34-9959A9E46217 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x183760 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614863Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:29 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1179287211-1257401340-1503212686-392357033 Account Name: 464A7EAB-6BFC-4AF2-8E34-9959A9E46217 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x183760 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614862Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:29 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 464A7EAB-6BFC-4AF2-8E34-9959A9E46217 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614861Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:29 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x183370 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {09690AB9-87DA-CB73-BD5E-2935EA1F4C7A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57438 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614860Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:29 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x183370 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614859Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:29 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-866996642-1341559394-3557739673-2865852051 Account Name: 33AD51A2-9262-4FF6-99CC-0ED4936ED1AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x182BD7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614858Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:29 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-866996642-1341559394-3557739673-2865852051 Account Name: 33AD51A2-9262-4FF6-99CC-0ED4936ED1AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x182BD7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614857Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:29 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-866996642-1341559394-3557739673-2865852051 Account Name: 33AD51A2-9262-4FF6-99CC-0ED4936ED1AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x182BD7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614856Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:29 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 33AD51A2-9262-4FF6-99CC-0ED4936ED1AA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614855Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:29 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x15F136 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614854Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2601787570-1252546132-418576805-2267838305 Account Name: 9B1420B2-5654-4AA8-A5F9-F21861772C87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1557BC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614853Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:28 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1894001704-1332185815-1940064401-71855958 Account Name: 70E42C28-8AD7-4F67-9108-A373566F4804 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x162071 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614852Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:27 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4228319586-1294483788-1363572621-1427341847 Account Name: FC070962-414C-4D28-8D77-465117821355 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x178618 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614851Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:25 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4228319586-1294483788-1363572621-1427341847 Account Name: FC070962-414C-4D28-8D77-465117821355 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x178618 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614850Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:25 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4228319586-1294483788-1363572621-1427341847 Account Name: FC070962-414C-4D28-8D77-465117821355 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x178618 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614849Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:25 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FC070962-414C-4D28-8D77-465117821355 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614848Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:25 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3045661257-1190134136-3516264634-676309528 Account Name: B5891A49-0178-46F0-BAF0-95D118AA4F28 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x173D5B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614847Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:23 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3045661257-1190134136-3516264634-676309528 Account Name: B5891A49-0178-46F0-BAF0-95D118AA4F28 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x173D5B Privileges: SeImpersonatePrivilege467200125480-921436483760003481614846Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:23 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3045661257-1190134136-3516264634-676309528 Account Name: B5891A49-0178-46F0-BAF0-95D118AA4F28 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x173D5B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614845Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:23 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B5891A49-0178-46F0-BAF0-95D118AA4F28 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614844Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:23 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3045661257-1190134136-3516264634-676309528 Account Name: B5891A49-0178-46F0-BAF0-95D118AA4F28 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1729F8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614843Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:22 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3045661257-1190134136-3516264634-676309528 Account Name: B5891A49-0178-46F0-BAF0-95D118AA4F28 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x172B45 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614842Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3045661257-1190134136-3516264634-676309528 Account Name: B5891A49-0178-46F0-BAF0-95D118AA4F28 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x172B45 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614841Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B5891A49-0178-46F0-BAF0-95D118AA4F28 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614840Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3045661257-1190134136-3516264634-676309528 Account Name: B5891A49-0178-46F0-BAF0-95D118AA4F28 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x172AEA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614839Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:22 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3045661257-1190134136-3516264634-676309528 Account Name: B5891A49-0178-46F0-BAF0-95D118AA4F28 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x172AEA Privileges: SeImpersonatePrivilege467200125480-921436483760003481614838Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3045661257-1190134136-3516264634-676309528 Account Name: B5891A49-0178-46F0-BAF0-95D118AA4F28 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x172AEA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614837Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B5891A49-0178-46F0-BAF0-95D118AA4F28 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614836Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3045661257-1190134136-3516264634-676309528 Account Name: B5891A49-0178-46F0-BAF0-95D118AA4F28 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x172AA1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614835Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:22 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3045661257-1190134136-3516264634-676309528 Account Name: B5891A49-0178-46F0-BAF0-95D118AA4F28 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x172AA1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614834Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3045661257-1190134136-3516264634-676309528 Account Name: B5891A49-0178-46F0-BAF0-95D118AA4F28 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x172AA1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614833Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B5891A49-0178-46F0-BAF0-95D118AA4F28 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614832Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3045661257-1190134136-3516264634-676309528 Account Name: B5891A49-0178-46F0-BAF0-95D118AA4F28 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1729F8 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614831Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3045661257-1190134136-3516264634-676309528 Account Name: B5891A49-0178-46F0-BAF0-95D118AA4F28 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1729F8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614830Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B5891A49-0178-46F0-BAF0-95D118AA4F28 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614829Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-866996642-1341559394-3557739673-2865852051 Account Name: 33AD51A2-9262-4FF6-99CC-0ED4936ED1AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x170A17 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614828Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:20 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-866996642-1341559394-3557739673-2865852051 Account Name: 33AD51A2-9262-4FF6-99CC-0ED4936ED1AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x170A17 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614827Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:20 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-866996642-1341559394-3557739673-2865852051 Account Name: 33AD51A2-9262-4FF6-99CC-0ED4936ED1AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x170A17 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614826Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:20 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 33AD51A2-9262-4FF6-99CC-0ED4936ED1AA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614825Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:20 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-866996642-1341559394-3557739673-2865852051 Account Name: 33AD51A2-9262-4FF6-99CC-0ED4936ED1AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16AE78 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614824Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:19 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614823Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614822Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-866996642-1341559394-3557739673-2865852051 Account Name: 33AD51A2-9262-4FF6-99CC-0ED4936ED1AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16E1B0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614821Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-866996642-1341559394-3557739673-2865852051 Account Name: 33AD51A2-9262-4FF6-99CC-0ED4936ED1AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16E1B0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614820Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 33AD51A2-9262-4FF6-99CC-0ED4936ED1AA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614819Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-866996642-1341559394-3557739673-2865852051 Account Name: 33AD51A2-9262-4FF6-99CC-0ED4936ED1AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16D0E6 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614818Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:19 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-866996642-1341559394-3557739673-2865852051 Account Name: 33AD51A2-9262-4FF6-99CC-0ED4936ED1AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16D0E6 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614817Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-866996642-1341559394-3557739673-2865852051 Account Name: 33AD51A2-9262-4FF6-99CC-0ED4936ED1AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16D0E6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614816Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 33AD51A2-9262-4FF6-99CC-0ED4936ED1AA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614815Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-866996642-1341559394-3557739673-2865852051 Account Name: 33AD51A2-9262-4FF6-99CC-0ED4936ED1AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16C1C0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614814Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:19 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-866996642-1341559394-3557739673-2865852051 Account Name: 33AD51A2-9262-4FF6-99CC-0ED4936ED1AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16C1C0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614813Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-866996642-1341559394-3557739673-2865852051 Account Name: 33AD51A2-9262-4FF6-99CC-0ED4936ED1AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16C1C0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614812Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 33AD51A2-9262-4FF6-99CC-0ED4936ED1AA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614811Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-866996642-1341559394-3557739673-2865852051 Account Name: 33AD51A2-9262-4FF6-99CC-0ED4936ED1AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16AE78 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614810Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-866996642-1341559394-3557739673-2865852051 Account Name: 33AD51A2-9262-4FF6-99CC-0ED4936ED1AA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x16AE78 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614809Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 33AD51A2-9262-4FF6-99CC-0ED4936ED1AA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614808Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:19 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1894001704-1332185815-1940064401-71855958 Account Name: 70E42C28-8AD7-4F67-9108-A373566F4804 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1642C9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614807Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:15 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1894001704-1332185815-1940064401-71855958 Account Name: 70E42C28-8AD7-4F67-9108-A373566F4804 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1642C9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614806Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1894001704-1332185815-1940064401-71855958 Account Name: 70E42C28-8AD7-4F67-9108-A373566F4804 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1642C9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614805Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 70E42C28-8AD7-4F67-9108-A373566F4804 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614804Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1894001704-1332185815-1940064401-71855958 Account Name: 70E42C28-8AD7-4F67-9108-A373566F4804 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x162E3E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614803Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:15 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1894001704-1332185815-1940064401-71855958 Account Name: 70E42C28-8AD7-4F67-9108-A373566F4804 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x162E3E Privileges: SeImpersonatePrivilege467200125480-921436483760003481614802Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1894001704-1332185815-1940064401-71855958 Account Name: 70E42C28-8AD7-4F67-9108-A373566F4804 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x162E3E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614801Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 70E42C28-8AD7-4F67-9108-A373566F4804 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614800Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1894001704-1332185815-1940064401-71855958 Account Name: 70E42C28-8AD7-4F67-9108-A373566F4804 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x161F29 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614799Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1894001704-1332185815-1940064401-71855958 Account Name: 70E42C28-8AD7-4F67-9108-A373566F4804 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x162071 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614798Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1894001704-1332185815-1940064401-71855958 Account Name: 70E42C28-8AD7-4F67-9108-A373566F4804 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x162071 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614797Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 70E42C28-8AD7-4F67-9108-A373566F4804 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614796Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1894001704-1332185815-1940064401-71855958 Account Name: 70E42C28-8AD7-4F67-9108-A373566F4804 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x162018 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614795Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1894001704-1332185815-1940064401-71855958 Account Name: 70E42C28-8AD7-4F67-9108-A373566F4804 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x162018 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614794Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1894001704-1332185815-1940064401-71855958 Account Name: 70E42C28-8AD7-4F67-9108-A373566F4804 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x162018 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614793Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 70E42C28-8AD7-4F67-9108-A373566F4804 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614792Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1894001704-1332185815-1940064401-71855958 Account Name: 70E42C28-8AD7-4F67-9108-A373566F4804 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x161FCF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614791Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1894001704-1332185815-1940064401-71855958 Account Name: 70E42C28-8AD7-4F67-9108-A373566F4804 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x161FCF Privileges: SeImpersonatePrivilege467200125480-921436483760003481614790Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1894001704-1332185815-1940064401-71855958 Account Name: 70E42C28-8AD7-4F67-9108-A373566F4804 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x161FCF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614789Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 70E42C28-8AD7-4F67-9108-A373566F4804 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614788Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1894001704-1332185815-1940064401-71855958 Account Name: 70E42C28-8AD7-4F67-9108-A373566F4804 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x161F29 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614787Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1894001704-1332185815-1940064401-71855958 Account Name: 70E42C28-8AD7-4F67-9108-A373566F4804 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x161F29 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614786Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 70E42C28-8AD7-4F67-9108-A373566F4804 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614785Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x15F1AB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614784Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:07 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x15F1A8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614783Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:07 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x15F1A6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614782Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:07 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x15F1AB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-858383-10 Source Network Address: 10.222.0.13 Source Port: 57413 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614781Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:07 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x15F1AB Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614780Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:07 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x15F1A8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-858383-10 Source Network Address: 10.222.0.13 Source Port: 57412 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614779Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:07 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x15F1A8 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614778Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:07 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x15F1A6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-858383-10 Source Network Address: 10.222.0.13 Source Port: 57411 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614777Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:07 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x15F1A6 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614776Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:07 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x15F136 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: N-H2-858383-10 Source Network Address: 10.222.0.13 Source Port: 57410 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614775Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:07 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x15F136 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614774Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:48:07 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1512235966-1230265854-17772416-3460975393 Account Name: 5A22E3BE-5DFE-4954-802F-0F01214B4ACE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x147A79 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614773Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:59 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1512235966-1230265854-17772416-3460975393 Account Name: 5A22E3BE-5DFE-4954-802F-0F01214B4ACE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x159FB0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614772Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:56 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1512235966-1230265854-17772416-3460975393 Account Name: 5A22E3BE-5DFE-4954-802F-0F01214B4ACE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x159FB0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614771Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1512235966-1230265854-17772416-3460975393 Account Name: 5A22E3BE-5DFE-4954-802F-0F01214B4ACE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x159FB0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614770Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5A22E3BE-5DFE-4954-802F-0F01214B4ACE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614769Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2601787570-1252546132-418576805-2267838305 Account Name: 9B1420B2-5654-4AA8-A5F9-F21861772C87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1580BF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614768Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2601787570-1252546132-418576805-2267838305 Account Name: 9B1420B2-5654-4AA8-A5F9-F21861772C87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1580BF Privileges: SeImpersonatePrivilege467200125480-921436483760003481614767Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:54 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2601787570-1252546132-418576805-2267838305 Account Name: 9B1420B2-5654-4AA8-A5F9-F21861772C87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1580BF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614766Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:54 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9B1420B2-5654-4AA8-A5F9-F21861772C87 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614765Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:54 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2601787570-1252546132-418576805-2267838305 Account Name: 9B1420B2-5654-4AA8-A5F9-F21861772C87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15664C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614764Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:53 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2601787570-1252546132-418576805-2267838305 Account Name: 9B1420B2-5654-4AA8-A5F9-F21861772C87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15664C Privileges: SeImpersonatePrivilege467200125480-921436483760003481614763Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:53 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2601787570-1252546132-418576805-2267838305 Account Name: 9B1420B2-5654-4AA8-A5F9-F21861772C87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15664C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614762Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:53 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9B1420B2-5654-4AA8-A5F9-F21861772C87 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614761Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:53 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2601787570-1252546132-418576805-2267838305 Account Name: 9B1420B2-5654-4AA8-A5F9-F21861772C87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x155609 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614760Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:52 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2601787570-1252546132-418576805-2267838305 Account Name: 9B1420B2-5654-4AA8-A5F9-F21861772C87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1557BC Privileges: SeImpersonatePrivilege467200125480-921436483760003481614759Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:52 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2601787570-1252546132-418576805-2267838305 Account Name: 9B1420B2-5654-4AA8-A5F9-F21861772C87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1557BC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614758Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:52 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9B1420B2-5654-4AA8-A5F9-F21861772C87 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614757Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:52 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2601787570-1252546132-418576805-2267838305 Account Name: 9B1420B2-5654-4AA8-A5F9-F21861772C87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15573F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614756Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:52 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2601787570-1252546132-418576805-2267838305 Account Name: 9B1420B2-5654-4AA8-A5F9-F21861772C87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15573F Privileges: SeImpersonatePrivilege467200125480-921436483760003481614755Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:52 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2601787570-1252546132-418576805-2267838305 Account Name: 9B1420B2-5654-4AA8-A5F9-F21861772C87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x15573F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614754Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:52 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9B1420B2-5654-4AA8-A5F9-F21861772C87 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614753Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:52 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2601787570-1252546132-418576805-2267838305 Account Name: 9B1420B2-5654-4AA8-A5F9-F21861772C87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1556DA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614752Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:52 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2601787570-1252546132-418576805-2267838305 Account Name: 9B1420B2-5654-4AA8-A5F9-F21861772C87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1556DA Privileges: SeImpersonatePrivilege467200125480-921436483760003481614751Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:52 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2601787570-1252546132-418576805-2267838305 Account Name: 9B1420B2-5654-4AA8-A5F9-F21861772C87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1556DA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614750Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:52 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9B1420B2-5654-4AA8-A5F9-F21861772C87 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614749Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:52 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2601787570-1252546132-418576805-2267838305 Account Name: 9B1420B2-5654-4AA8-A5F9-F21861772C87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x155609 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614748Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:52 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2601787570-1252546132-418576805-2267838305 Account Name: 9B1420B2-5654-4AA8-A5F9-F21861772C87 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x155609 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614747Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:52 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 9B1420B2-5654-4AA8-A5F9-F21861772C87 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614746Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:52 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3602879077-1302058297-3784614579-1918244141 Account Name: D6BF9265-D539-4D9B-B3A2-94E12D155672 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x138F5B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614745Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:52 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1512235966-1230265854-17772416-3460975393 Account Name: 5A22E3BE-5DFE-4954-802F-0F01214B4ACE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14F650 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614744Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:44 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1512235966-1230265854-17772416-3460975393 Account Name: 5A22E3BE-5DFE-4954-802F-0F01214B4ACE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14F650 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614743Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:44 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1512235966-1230265854-17772416-3460975393 Account Name: 5A22E3BE-5DFE-4954-802F-0F01214B4ACE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14F650 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614742Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:44 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5A22E3BE-5DFE-4954-802F-0F01214B4ACE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614741Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:44 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2237636719-1121056976-305834900-441729843 Account Name: 855FA06F-F8D0-42D1-94AB-3A123343541A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10DD7E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614740Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:44 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1512235966-1230265854-17772416-3460975393 Account Name: 5A22E3BE-5DFE-4954-802F-0F01214B4ACE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1487FA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614739Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:38 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1512235966-1230265854-17772416-3460975393 Account Name: 5A22E3BE-5DFE-4954-802F-0F01214B4ACE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1487FA Privileges: SeImpersonatePrivilege467200125480-921436483760003481614738Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:38 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1512235966-1230265854-17772416-3460975393 Account Name: 5A22E3BE-5DFE-4954-802F-0F01214B4ACE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1487FA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614737Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:38 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5A22E3BE-5DFE-4954-802F-0F01214B4ACE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614736Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:38 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1512235966-1230265854-17772416-3460975393 Account Name: 5A22E3BE-5DFE-4954-802F-0F01214B4ACE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14792E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614735Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:38 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1512235966-1230265854-17772416-3460975393 Account Name: 5A22E3BE-5DFE-4954-802F-0F01214B4ACE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x147A79 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614734Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:38 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1512235966-1230265854-17772416-3460975393 Account Name: 5A22E3BE-5DFE-4954-802F-0F01214B4ACE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x147A79 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614733Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:38 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5A22E3BE-5DFE-4954-802F-0F01214B4ACE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614732Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:38 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1512235966-1230265854-17772416-3460975393 Account Name: 5A22E3BE-5DFE-4954-802F-0F01214B4ACE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x147A1C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614731Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:38 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1512235966-1230265854-17772416-3460975393 Account Name: 5A22E3BE-5DFE-4954-802F-0F01214B4ACE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x147A1C Privileges: SeImpersonatePrivilege467200125480-921436483760003481614730Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:38 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1512235966-1230265854-17772416-3460975393 Account Name: 5A22E3BE-5DFE-4954-802F-0F01214B4ACE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x147A1C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614729Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:38 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5A22E3BE-5DFE-4954-802F-0F01214B4ACE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614728Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:38 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1512235966-1230265854-17772416-3460975393 Account Name: 5A22E3BE-5DFE-4954-802F-0F01214B4ACE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1479D3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614727Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:38 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1512235966-1230265854-17772416-3460975393 Account Name: 5A22E3BE-5DFE-4954-802F-0F01214B4ACE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1479D3 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614726Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:38 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1512235966-1230265854-17772416-3460975393 Account Name: 5A22E3BE-5DFE-4954-802F-0F01214B4ACE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1479D3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614725Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:38 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5A22E3BE-5DFE-4954-802F-0F01214B4ACE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614724Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:38 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1512235966-1230265854-17772416-3460975393 Account Name: 5A22E3BE-5DFE-4954-802F-0F01214B4ACE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14792E Privileges: SeImpersonatePrivilege467200125480-921436483760003481614723Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:38 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1512235966-1230265854-17772416-3460975393 Account Name: 5A22E3BE-5DFE-4954-802F-0F01214B4ACE Account Domain: NT VIRTUAL MACHINE Logon ID: 0x14792E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614722Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:38 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5A22E3BE-5DFE-4954-802F-0F01214B4ACE Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614721Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:38 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4245251597-1101516868-3149200546-1027120728 Account Name: FD09660D-D044-41A7-A2FC-B4BB589E383D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1355FC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614720Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:30 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4245251597-1101516868-3149200546-1027120728 Account Name: FD09660D-D044-41A7-A2FC-B4BB589E383D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x140B66 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614719Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4245251597-1101516868-3149200546-1027120728 Account Name: FD09660D-D044-41A7-A2FC-B4BB589E383D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x140B66 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614718Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4245251597-1101516868-3149200546-1027120728 Account Name: FD09660D-D044-41A7-A2FC-B4BB589E383D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x140B66 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614717Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FD09660D-D044-41A7-A2FC-B4BB589E383D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614716Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3602879077-1302058297-3784614579-1918244141 Account Name: D6BF9265-D539-4D9B-B3A2-94E12D155672 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13E3AE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614715Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:22 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3602879077-1302058297-3784614579-1918244141 Account Name: D6BF9265-D539-4D9B-B3A2-94E12D155672 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13E3AE Privileges: SeImpersonatePrivilege467200125480-921436483760003481614714Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3602879077-1302058297-3784614579-1918244141 Account Name: D6BF9265-D539-4D9B-B3A2-94E12D155672 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13E3AE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614713Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D6BF9265-D539-4D9B-B3A2-94E12D155672 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614712Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4228319586-1294483788-1363572621-1427341847 Account Name: FC070962-414C-4D28-8D77-465117821355 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13B836 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614711Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:21 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4228319586-1294483788-1363572621-1427341847 Account Name: FC070962-414C-4D28-8D77-465117821355 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13B836 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614710Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:21 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4228319586-1294483788-1363572621-1427341847 Account Name: FC070962-414C-4D28-8D77-465117821355 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13B836 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614709Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:21 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FC070962-414C-4D28-8D77-465117821355 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614708Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:21 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3602879077-1302058297-3784614579-1918244141 Account Name: D6BF9265-D539-4D9B-B3A2-94E12D155672 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13A686 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614707Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:20 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3602879077-1302058297-3784614579-1918244141 Account Name: D6BF9265-D539-4D9B-B3A2-94E12D155672 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13A686 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614706Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:20 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3602879077-1302058297-3784614579-1918244141 Account Name: D6BF9265-D539-4D9B-B3A2-94E12D155672 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x13A686 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614705Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:20 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D6BF9265-D539-4D9B-B3A2-94E12D155672 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614704Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:20 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3602879077-1302058297-3784614579-1918244141 Account Name: D6BF9265-D539-4D9B-B3A2-94E12D155672 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x138967 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614703Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:20 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3602879077-1302058297-3784614579-1918244141 Account Name: D6BF9265-D539-4D9B-B3A2-94E12D155672 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x138F5B Privileges: SeImpersonatePrivilege467200125480-921436483760003481614702Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:20 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3602879077-1302058297-3784614579-1918244141 Account Name: D6BF9265-D539-4D9B-B3A2-94E12D155672 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x138F5B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614701Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:20 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D6BF9265-D539-4D9B-B3A2-94E12D155672 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614700Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:20 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3602879077-1302058297-3784614579-1918244141 Account Name: D6BF9265-D539-4D9B-B3A2-94E12D155672 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x138E2F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614699Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:20 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3602879077-1302058297-3784614579-1918244141 Account Name: D6BF9265-D539-4D9B-B3A2-94E12D155672 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x138E2F Privileges: SeImpersonatePrivilege467200125480-921436483760003481614698Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:20 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3602879077-1302058297-3784614579-1918244141 Account Name: D6BF9265-D539-4D9B-B3A2-94E12D155672 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x138E2F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614697Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:20 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D6BF9265-D539-4D9B-B3A2-94E12D155672 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614696Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:20 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3602879077-1302058297-3784614579-1918244141 Account Name: D6BF9265-D539-4D9B-B3A2-94E12D155672 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x138C5A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614695Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:20 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3602879077-1302058297-3784614579-1918244141 Account Name: D6BF9265-D539-4D9B-B3A2-94E12D155672 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x138C5A Privileges: SeImpersonatePrivilege467200125480-921436483760003481614694Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:20 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3602879077-1302058297-3784614579-1918244141 Account Name: D6BF9265-D539-4D9B-B3A2-94E12D155672 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x138C5A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614693Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:20 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D6BF9265-D539-4D9B-B3A2-94E12D155672 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614692Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:20 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3602879077-1302058297-3784614579-1918244141 Account Name: D6BF9265-D539-4D9B-B3A2-94E12D155672 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x138967 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614691Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:20 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3602879077-1302058297-3784614579-1918244141 Account Name: D6BF9265-D539-4D9B-B3A2-94E12D155672 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x138967 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614690Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:20 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D6BF9265-D539-4D9B-B3A2-94E12D155672 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614689Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:20 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4245251597-1101516868-3149200546-1027120728 Account Name: FD09660D-D044-41A7-A2FC-B4BB589E383D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x136C14 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614688Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:17 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4245251597-1101516868-3149200546-1027120728 Account Name: FD09660D-D044-41A7-A2FC-B4BB589E383D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x136C14 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614687Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4245251597-1101516868-3149200546-1027120728 Account Name: FD09660D-D044-41A7-A2FC-B4BB589E383D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x136C14 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614686Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FD09660D-D044-41A7-A2FC-B4BB589E383D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614685Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:17 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4245251597-1101516868-3149200546-1027120728 Account Name: FD09660D-D044-41A7-A2FC-B4BB589E383D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1352F2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614684Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:16 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4245251597-1101516868-3149200546-1027120728 Account Name: FD09660D-D044-41A7-A2FC-B4BB589E383D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1355FC Privileges: SeImpersonatePrivilege467200125480-921436483760003481614683Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:16 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4245251597-1101516868-3149200546-1027120728 Account Name: FD09660D-D044-41A7-A2FC-B4BB589E383D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1355FC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614682Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:16 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FD09660D-D044-41A7-A2FC-B4BB589E383D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614681Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:16 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4245251597-1101516868-3149200546-1027120728 Account Name: FD09660D-D044-41A7-A2FC-B4BB589E383D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x135491 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614680Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:16 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4245251597-1101516868-3149200546-1027120728 Account Name: FD09660D-D044-41A7-A2FC-B4BB589E383D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x135491 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614679Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:16 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4245251597-1101516868-3149200546-1027120728 Account Name: FD09660D-D044-41A7-A2FC-B4BB589E383D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x135491 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614678Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:16 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FD09660D-D044-41A7-A2FC-B4BB589E383D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614677Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:16 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4245251597-1101516868-3149200546-1027120728 Account Name: FD09660D-D044-41A7-A2FC-B4BB589E383D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x135397 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614676Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:16 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4245251597-1101516868-3149200546-1027120728 Account Name: FD09660D-D044-41A7-A2FC-B4BB589E383D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x135397 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614675Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:16 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4245251597-1101516868-3149200546-1027120728 Account Name: FD09660D-D044-41A7-A2FC-B4BB589E383D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x135397 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614674Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:16 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FD09660D-D044-41A7-A2FC-B4BB589E383D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614673Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:16 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4245251597-1101516868-3149200546-1027120728 Account Name: FD09660D-D044-41A7-A2FC-B4BB589E383D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1352F2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614672Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:16 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4245251597-1101516868-3149200546-1027120728 Account Name: FD09660D-D044-41A7-A2FC-B4BB589E383D Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1352F2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614671Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:16 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FD09660D-D044-41A7-A2FC-B4BB589E383D Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614670Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:16 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4228319586-1294483788-1363572621-1427341847 Account Name: FC070962-414C-4D28-8D77-465117821355 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x133268 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614669Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:13 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4228319586-1294483788-1363572621-1427341847 Account Name: FC070962-414C-4D28-8D77-465117821355 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x133268 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614668Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:13 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4228319586-1294483788-1363572621-1427341847 Account Name: FC070962-414C-4D28-8D77-465117821355 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x133268 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614667Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:13 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FC070962-414C-4D28-8D77-465117821355 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614666Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:13 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4228319586-1294483788-1363572621-1427341847 Account Name: FC070962-414C-4D28-8D77-465117821355 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1323D1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614665Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:13 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4228319586-1294483788-1363572621-1427341847 Account Name: FC070962-414C-4D28-8D77-465117821355 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x132519 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614664Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:13 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4228319586-1294483788-1363572621-1427341847 Account Name: FC070962-414C-4D28-8D77-465117821355 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x132519 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614663Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:13 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FC070962-414C-4D28-8D77-465117821355 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614662Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:13 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4228319586-1294483788-1363572621-1427341847 Account Name: FC070962-414C-4D28-8D77-465117821355 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1324C0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614661Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:13 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4228319586-1294483788-1363572621-1427341847 Account Name: FC070962-414C-4D28-8D77-465117821355 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1324C0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614660Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:13 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4228319586-1294483788-1363572621-1427341847 Account Name: FC070962-414C-4D28-8D77-465117821355 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1324C0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614659Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:13 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FC070962-414C-4D28-8D77-465117821355 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614658Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:13 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4228319586-1294483788-1363572621-1427341847 Account Name: FC070962-414C-4D28-8D77-465117821355 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x132477 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614657Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:13 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4228319586-1294483788-1363572621-1427341847 Account Name: FC070962-414C-4D28-8D77-465117821355 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x132477 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614656Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:13 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4228319586-1294483788-1363572621-1427341847 Account Name: FC070962-414C-4D28-8D77-465117821355 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x132477 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614655Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:13 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FC070962-414C-4D28-8D77-465117821355 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614654Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:13 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4228319586-1294483788-1363572621-1427341847 Account Name: FC070962-414C-4D28-8D77-465117821355 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1323D1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614653Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:13 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4228319586-1294483788-1363572621-1427341847 Account Name: FC070962-414C-4D28-8D77-465117821355 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1323D1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614652Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:13 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FC070962-414C-4D28-8D77-465117821355 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614651Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:13 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3565403066-1289852517-1143439288-2089140637 Account Name: D483BBBA-9665-4CE1-B87F-27449DC1857C Account Domain: NT VIRTUAL MACHINE Logon ID: 0xECC1A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614650Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:10 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3565403066-1289852517-1143439288-2089140637 Account Name: D483BBBA-9665-4CE1-B87F-27449DC1857C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12B431 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614649Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:06 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3565403066-1289852517-1143439288-2089140637 Account Name: D483BBBA-9665-4CE1-B87F-27449DC1857C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12B431 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614648Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:06 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3565403066-1289852517-1143439288-2089140637 Account Name: D483BBBA-9665-4CE1-B87F-27449DC1857C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x12B431 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614647Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:06 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D483BBBA-9665-4CE1-B87F-27449DC1857C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614646Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:06 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x10F6A9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614645Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:03 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-276526772-1303520638-283614649-3300778125 Account Name: 107B76B4-257E-4DB2-B99D-E7108DE0BDC4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11061A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614644Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:02 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-131160578-1140456626-3632485816-2058351045 Account Name: 07D15A02-FCB2-43F9-B855-83D8C5F1AF7A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x105893 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614643Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:47:01 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1119713497-1226165725-2639206077-2405047411 Account Name: 42BD78D9-CDDD-4915-BD16-4F9D731C5A8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF89BE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614642Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3109712030-1113182104-2585788311-4111020973 Account Name: B95A709E-CF98-4259-97FF-1F9AAD3309F5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFBB4B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614641Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:56 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-276526772-1303520638-283614649-3300778125 Account Name: 107B76B4-257E-4DB2-B99D-E7108DE0BDC4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11BB0F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614640Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:53 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-276526772-1303520638-283614649-3300778125 Account Name: 107B76B4-257E-4DB2-B99D-E7108DE0BDC4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11BB0F Privileges: SeImpersonatePrivilege467200125480-921436483760003481614639Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:53 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-276526772-1303520638-283614649-3300778125 Account Name: 107B76B4-257E-4DB2-B99D-E7108DE0BDC4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11BB0F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614638Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:53 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 107B76B4-257E-4DB2-B99D-E7108DE0BDC4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614637Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:53 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-131160578-1140456626-3632485816-2058351045 Account Name: 07D15A02-FCB2-43F9-B855-83D8C5F1AF7A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x119FC7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614636Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:49 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-131160578-1140456626-3632485816-2058351045 Account Name: 07D15A02-FCB2-43F9-B855-83D8C5F1AF7A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x119FC7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614635Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:49 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-131160578-1140456626-3632485816-2058351045 Account Name: 07D15A02-FCB2-43F9-B855-83D8C5F1AF7A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x119FC7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614634Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:49 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 07D15A02-FCB2-43F9-B855-83D8C5F1AF7A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614633Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:49 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2237636719-1121056976-305834900-441729843 Account Name: 855FA06F-F8D0-42D1-94AB-3A123343541A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x116B28 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614632Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:48 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2237636719-1121056976-305834900-441729843 Account Name: 855FA06F-F8D0-42D1-94AB-3A123343541A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x116B28 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614631Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:48 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2237636719-1121056976-305834900-441729843 Account Name: 855FA06F-F8D0-42D1-94AB-3A123343541A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x116B28 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614630Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:48 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 855FA06F-F8D0-42D1-94AB-3A123343541A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614629Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:48 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-276526772-1303520638-283614649-3300778125 Account Name: 107B76B4-257E-4DB2-B99D-E7108DE0BDC4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1120C2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614628Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:44 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-276526772-1303520638-283614649-3300778125 Account Name: 107B76B4-257E-4DB2-B99D-E7108DE0BDC4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1120C2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614627Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:44 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-276526772-1303520638-283614649-3300778125 Account Name: 107B76B4-257E-4DB2-B99D-E7108DE0BDC4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1120C2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614626Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:44 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 107B76B4-257E-4DB2-B99D-E7108DE0BDC4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614625Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:44 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-276526772-1303520638-283614649-3300778125 Account Name: 107B76B4-257E-4DB2-B99D-E7108DE0BDC4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1104AB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614624Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:44 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-276526772-1303520638-283614649-3300778125 Account Name: 107B76B4-257E-4DB2-B99D-E7108DE0BDC4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11061A Privileges: SeImpersonatePrivilege467200125480-921436483760003481614623Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:44 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-276526772-1303520638-283614649-3300778125 Account Name: 107B76B4-257E-4DB2-B99D-E7108DE0BDC4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x11061A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614622Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:44 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 107B76B4-257E-4DB2-B99D-E7108DE0BDC4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614621Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:44 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-276526772-1303520638-283614649-3300778125 Account Name: 107B76B4-257E-4DB2-B99D-E7108DE0BDC4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1105AB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614620Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:44 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-276526772-1303520638-283614649-3300778125 Account Name: 107B76B4-257E-4DB2-B99D-E7108DE0BDC4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1105AB Privileges: SeImpersonatePrivilege467200125480-921436483760003481614619Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:44 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-276526772-1303520638-283614649-3300778125 Account Name: 107B76B4-257E-4DB2-B99D-E7108DE0BDC4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1105AB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614618Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:44 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 107B76B4-257E-4DB2-B99D-E7108DE0BDC4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614617Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:44 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-276526772-1303520638-283614649-3300778125 Account Name: 107B76B4-257E-4DB2-B99D-E7108DE0BDC4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x110558 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614616Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:44 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-276526772-1303520638-283614649-3300778125 Account Name: 107B76B4-257E-4DB2-B99D-E7108DE0BDC4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x110558 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614615Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:43 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-276526772-1303520638-283614649-3300778125 Account Name: 107B76B4-257E-4DB2-B99D-E7108DE0BDC4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x110558 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614614Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:43 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 107B76B4-257E-4DB2-B99D-E7108DE0BDC4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614613Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:43 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-276526772-1303520638-283614649-3300778125 Account Name: 107B76B4-257E-4DB2-B99D-E7108DE0BDC4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1104AB Privileges: SeImpersonatePrivilege467200125480-921436483760003481614612Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:43 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-276526772-1303520638-283614649-3300778125 Account Name: 107B76B4-257E-4DB2-B99D-E7108DE0BDC4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1104AB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614611Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:43 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 107B76B4-257E-4DB2-B99D-E7108DE0BDC4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614610Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:43 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x10F6A9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {09690AB9-87DA-CB73-BD5E-2935EA1F4C7A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57270 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614609Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:41 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0x10F6A9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614608Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:41 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2237636719-1121056976-305834900-441729843 Account Name: 855FA06F-F8D0-42D1-94AB-3A123343541A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10EB5B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614607Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:41 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2237636719-1121056976-305834900-441729843 Account Name: 855FA06F-F8D0-42D1-94AB-3A123343541A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10EB5B Privileges: SeImpersonatePrivilege467200125480-921436483760003481614606Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:41 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2237636719-1121056976-305834900-441729843 Account Name: 855FA06F-F8D0-42D1-94AB-3A123343541A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10EB5B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614605Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:41 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 855FA06F-F8D0-42D1-94AB-3A123343541A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614604Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:41 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2237636719-1121056976-305834900-441729843 Account Name: 855FA06F-F8D0-42D1-94AB-3A123343541A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10DC37 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614603Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:40 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2237636719-1121056976-305834900-441729843 Account Name: 855FA06F-F8D0-42D1-94AB-3A123343541A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10DD7E Privileges: SeImpersonatePrivilege467200125480-921436483760003481614602Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:40 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2237636719-1121056976-305834900-441729843 Account Name: 855FA06F-F8D0-42D1-94AB-3A123343541A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10DD7E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614601Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:40 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 855FA06F-F8D0-42D1-94AB-3A123343541A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614600Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:40 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2237636719-1121056976-305834900-441729843 Account Name: 855FA06F-F8D0-42D1-94AB-3A123343541A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10DD25 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614599Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:40 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2237636719-1121056976-305834900-441729843 Account Name: 855FA06F-F8D0-42D1-94AB-3A123343541A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10DD25 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614598Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:40 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2237636719-1121056976-305834900-441729843 Account Name: 855FA06F-F8D0-42D1-94AB-3A123343541A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10DD25 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614597Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:40 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 855FA06F-F8D0-42D1-94AB-3A123343541A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614596Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:40 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2237636719-1121056976-305834900-441729843 Account Name: 855FA06F-F8D0-42D1-94AB-3A123343541A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10DCDC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614595Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:40 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2237636719-1121056976-305834900-441729843 Account Name: 855FA06F-F8D0-42D1-94AB-3A123343541A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10DCDC Privileges: SeImpersonatePrivilege467200125480-921436483760003481614594Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:40 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2237636719-1121056976-305834900-441729843 Account Name: 855FA06F-F8D0-42D1-94AB-3A123343541A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10DCDC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614593Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:40 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 855FA06F-F8D0-42D1-94AB-3A123343541A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614592Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:40 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2237636719-1121056976-305834900-441729843 Account Name: 855FA06F-F8D0-42D1-94AB-3A123343541A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10DC37 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614591Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:40 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2237636719-1121056976-305834900-441729843 Account Name: 855FA06F-F8D0-42D1-94AB-3A123343541A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10DC37 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614590Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:40 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 855FA06F-F8D0-42D1-94AB-3A123343541A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614589Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:40 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3565403066-1289852517-1143439288-2089140637 Account Name: D483BBBA-9665-4CE1-B87F-27449DC1857C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10CEE2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614588Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:39 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3565403066-1289852517-1143439288-2089140637 Account Name: D483BBBA-9665-4CE1-B87F-27449DC1857C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10CEE2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614587Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:39 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3565403066-1289852517-1143439288-2089140637 Account Name: D483BBBA-9665-4CE1-B87F-27449DC1857C Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10CEE2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614586Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:39 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D483BBBA-9665-4CE1-B87F-27449DC1857C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614585Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:39 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-131160578-1140456626-3632485816-2058351045 Account Name: 07D15A02-FCB2-43F9-B855-83D8C5F1AF7A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x109D96 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614584Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:33 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-131160578-1140456626-3632485816-2058351045 Account Name: 07D15A02-FCB2-43F9-B855-83D8C5F1AF7A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x109D96 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614583Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:33 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-131160578-1140456626-3632485816-2058351045 Account Name: 07D15A02-FCB2-43F9-B855-83D8C5F1AF7A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x109D96 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614582Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:33 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 07D15A02-FCB2-43F9-B855-83D8C5F1AF7A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614581Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:33 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-131160578-1140456626-3632485816-2058351045 Account Name: 07D15A02-FCB2-43F9-B855-83D8C5F1AF7A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10665A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614580Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:25 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-131160578-1140456626-3632485816-2058351045 Account Name: 07D15A02-FCB2-43F9-B855-83D8C5F1AF7A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10665A Privileges: SeImpersonatePrivilege467200125480-921436483760003481614579Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:25 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-131160578-1140456626-3632485816-2058351045 Account Name: 07D15A02-FCB2-43F9-B855-83D8C5F1AF7A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10665A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614578Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:25 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 07D15A02-FCB2-43F9-B855-83D8C5F1AF7A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614577Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:25 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-131160578-1140456626-3632485816-2058351045 Account Name: 07D15A02-FCB2-43F9-B855-83D8C5F1AF7A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x105747 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614576Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-131160578-1140456626-3632485816-2058351045 Account Name: 07D15A02-FCB2-43F9-B855-83D8C5F1AF7A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x105893 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614575Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-131160578-1140456626-3632485816-2058351045 Account Name: 07D15A02-FCB2-43F9-B855-83D8C5F1AF7A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x105893 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614574Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 07D15A02-FCB2-43F9-B855-83D8C5F1AF7A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614573Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-131160578-1140456626-3632485816-2058351045 Account Name: 07D15A02-FCB2-43F9-B855-83D8C5F1AF7A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10583A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614572Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-131160578-1140456626-3632485816-2058351045 Account Name: 07D15A02-FCB2-43F9-B855-83D8C5F1AF7A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10583A Privileges: SeImpersonatePrivilege467200125480-921436483760003481614571Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-131160578-1140456626-3632485816-2058351045 Account Name: 07D15A02-FCB2-43F9-B855-83D8C5F1AF7A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x10583A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614570Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 07D15A02-FCB2-43F9-B855-83D8C5F1AF7A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614569Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-131160578-1140456626-3632485816-2058351045 Account Name: 07D15A02-FCB2-43F9-B855-83D8C5F1AF7A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1057EC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614568Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-131160578-1140456626-3632485816-2058351045 Account Name: 07D15A02-FCB2-43F9-B855-83D8C5F1AF7A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1057EC Privileges: SeImpersonatePrivilege467200125480-921436483760003481614567Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-131160578-1140456626-3632485816-2058351045 Account Name: 07D15A02-FCB2-43F9-B855-83D8C5F1AF7A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x1057EC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614566Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 07D15A02-FCB2-43F9-B855-83D8C5F1AF7A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614565Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-131160578-1140456626-3632485816-2058351045 Account Name: 07D15A02-FCB2-43F9-B855-83D8C5F1AF7A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x105747 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614564Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-131160578-1140456626-3632485816-2058351045 Account Name: 07D15A02-FCB2-43F9-B855-83D8C5F1AF7A Account Domain: NT VIRTUAL MACHINE Logon ID: 0x105747 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614563Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 07D15A02-FCB2-43F9-B855-83D8C5F1AF7A Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614562Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1119713497-1226165725-2639206077-2405047411 Account Name: 42BD78D9-CDDD-4915-BD16-4F9D731C5A8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x103F9E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614561Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:23 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1119713497-1226165725-2639206077-2405047411 Account Name: 42BD78D9-CDDD-4915-BD16-4F9D731C5A8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x103F9E Privileges: SeImpersonatePrivilege467200125480-921436483760003481614560Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:23 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1119713497-1226165725-2639206077-2405047411 Account Name: 42BD78D9-CDDD-4915-BD16-4F9D731C5A8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x103F9E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614559Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:23 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 42BD78D9-CDDD-4915-BD16-4F9D731C5A8F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614558Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:23 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3109712030-1113182104-2585788311-4111020973 Account Name: B95A709E-CF98-4259-97FF-1F9AAD3309F5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x101AFC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614557Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:22 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3109712030-1113182104-2585788311-4111020973 Account Name: B95A709E-CF98-4259-97FF-1F9AAD3309F5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x101AFC Privileges: SeImpersonatePrivilege467200125480-921436483760003481614556Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3109712030-1113182104-2585788311-4111020973 Account Name: B95A709E-CF98-4259-97FF-1F9AAD3309F5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x101AFC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614555Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B95A709E-CF98-4259-97FF-1F9AAD3309F5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614554Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2267236088-1299894826-255340951-1163062042 Account Name: 872346F8-D22A-4D7A-9731-380F1AEB5245 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDFFD1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614553Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:18 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3109712030-1113182104-2585788311-4111020973 Account Name: B95A709E-CF98-4259-97FF-1F9AAD3309F5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFC8BA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614552Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:15 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3109712030-1113182104-2585788311-4111020973 Account Name: B95A709E-CF98-4259-97FF-1F9AAD3309F5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFC8BA Privileges: SeImpersonatePrivilege467200125480-921436483760003481614551Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3109712030-1113182104-2585788311-4111020973 Account Name: B95A709E-CF98-4259-97FF-1F9AAD3309F5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFC8BA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614550Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B95A709E-CF98-4259-97FF-1F9AAD3309F5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614549Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:15 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3109712030-1113182104-2585788311-4111020973 Account Name: B95A709E-CF98-4259-97FF-1F9AAD3309F5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFBA04 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614548Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3109712030-1113182104-2585788311-4111020973 Account Name: B95A709E-CF98-4259-97FF-1F9AAD3309F5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFBB4B Privileges: SeImpersonatePrivilege467200125480-921436483760003481614547Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3109712030-1113182104-2585788311-4111020973 Account Name: B95A709E-CF98-4259-97FF-1F9AAD3309F5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFBB4B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614546Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B95A709E-CF98-4259-97FF-1F9AAD3309F5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614545Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3109712030-1113182104-2585788311-4111020973 Account Name: B95A709E-CF98-4259-97FF-1F9AAD3309F5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFBAF2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614544Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3109712030-1113182104-2585788311-4111020973 Account Name: B95A709E-CF98-4259-97FF-1F9AAD3309F5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFBAF2 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614543Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3109712030-1113182104-2585788311-4111020973 Account Name: B95A709E-CF98-4259-97FF-1F9AAD3309F5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFBAF2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614542Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B95A709E-CF98-4259-97FF-1F9AAD3309F5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614541Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3109712030-1113182104-2585788311-4111020973 Account Name: B95A709E-CF98-4259-97FF-1F9AAD3309F5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFBAA9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614540Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3109712030-1113182104-2585788311-4111020973 Account Name: B95A709E-CF98-4259-97FF-1F9AAD3309F5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFBAA9 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614539Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3109712030-1113182104-2585788311-4111020973 Account Name: B95A709E-CF98-4259-97FF-1F9AAD3309F5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFBAA9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614538Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B95A709E-CF98-4259-97FF-1F9AAD3309F5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614537Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3109712030-1113182104-2585788311-4111020973 Account Name: B95A709E-CF98-4259-97FF-1F9AAD3309F5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFBA04 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614536Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3109712030-1113182104-2585788311-4111020973 Account Name: B95A709E-CF98-4259-97FF-1F9AAD3309F5 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xFBA04 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614535Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B95A709E-CF98-4259-97FF-1F9AAD3309F5 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614534Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:14 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0xEA20F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614533Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:14 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1119713497-1226165725-2639206077-2405047411 Account Name: 42BD78D9-CDDD-4915-BD16-4F9D731C5A8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF9800 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614532Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:12 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1119713497-1226165725-2639206077-2405047411 Account Name: 42BD78D9-CDDD-4915-BD16-4F9D731C5A8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF9800 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614531Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:12 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1119713497-1226165725-2639206077-2405047411 Account Name: 42BD78D9-CDDD-4915-BD16-4F9D731C5A8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF9800 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614530Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:12 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 42BD78D9-CDDD-4915-BD16-4F9D731C5A8F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614529Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:12 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1119713497-1226165725-2639206077-2405047411 Account Name: 42BD78D9-CDDD-4915-BD16-4F9D731C5A8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF886C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614528Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:12 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1119713497-1226165725-2639206077-2405047411 Account Name: 42BD78D9-CDDD-4915-BD16-4F9D731C5A8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF89BE Privileges: SeImpersonatePrivilege467200125480-921436483760003481614527Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:12 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1119713497-1226165725-2639206077-2405047411 Account Name: 42BD78D9-CDDD-4915-BD16-4F9D731C5A8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF89BE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614526Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:12 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 42BD78D9-CDDD-4915-BD16-4F9D731C5A8F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614525Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:12 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1119713497-1226165725-2639206077-2405047411 Account Name: 42BD78D9-CDDD-4915-BD16-4F9D731C5A8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF8960 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614524Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:12 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1119713497-1226165725-2639206077-2405047411 Account Name: 42BD78D9-CDDD-4915-BD16-4F9D731C5A8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF8960 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614523Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:12 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1119713497-1226165725-2639206077-2405047411 Account Name: 42BD78D9-CDDD-4915-BD16-4F9D731C5A8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF8960 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614522Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:12 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 42BD78D9-CDDD-4915-BD16-4F9D731C5A8F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614521Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:12 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1119713497-1226165725-2639206077-2405047411 Account Name: 42BD78D9-CDDD-4915-BD16-4F9D731C5A8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF8915 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614520Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:12 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1119713497-1226165725-2639206077-2405047411 Account Name: 42BD78D9-CDDD-4915-BD16-4F9D731C5A8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF8915 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614519Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:12 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1119713497-1226165725-2639206077-2405047411 Account Name: 42BD78D9-CDDD-4915-BD16-4F9D731C5A8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF8915 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614518Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:12 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 42BD78D9-CDDD-4915-BD16-4F9D731C5A8F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614517Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:12 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1119713497-1226165725-2639206077-2405047411 Account Name: 42BD78D9-CDDD-4915-BD16-4F9D731C5A8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF886C Privileges: SeImpersonatePrivilege467200125480-921436483760003481614516Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:12 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1119713497-1226165725-2639206077-2405047411 Account Name: 42BD78D9-CDDD-4915-BD16-4F9D731C5A8F Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF886C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614515Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:12 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 42BD78D9-CDDD-4915-BD16-4F9D731C5A8F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614514Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:12 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3565403066-1289852517-1143439288-2089140637 Account Name: D483BBBA-9665-4CE1-B87F-27449DC1857C Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF3E02 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614513Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:07 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3565403066-1289852517-1143439288-2089140637 Account Name: D483BBBA-9665-4CE1-B87F-27449DC1857C Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF3E02 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614512Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:07 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3565403066-1289852517-1143439288-2089140637 Account Name: D483BBBA-9665-4CE1-B87F-27449DC1857C Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF3E02 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614511Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:07 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D483BBBA-9665-4CE1-B87F-27449DC1857C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614510Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:07 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2267236088-1299894826-255340951-1163062042 Account Name: 872346F8-D22A-4D7A-9731-380F1AEB5245 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF2D8E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614509Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:06 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2267236088-1299894826-255340951-1163062042 Account Name: 872346F8-D22A-4D7A-9731-380F1AEB5245 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF2D8E Privileges: SeImpersonatePrivilege467200125480-921436483760003481614508Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:06 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2267236088-1299894826-255340951-1163062042 Account Name: 872346F8-D22A-4D7A-9731-380F1AEB5245 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xF2D8E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614507Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:06 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 872346F8-D22A-4D7A-9731-380F1AEB5245 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614506Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:06 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3565403066-1289852517-1143439288-2089140637 Account Name: D483BBBA-9665-4CE1-B87F-27449DC1857C Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEDB5B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614505Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:00 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3565403066-1289852517-1143439288-2089140637 Account Name: D483BBBA-9665-4CE1-B87F-27449DC1857C Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEDB5B Privileges: SeImpersonatePrivilege467200125480-921436483760003481614504Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:00 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3565403066-1289852517-1143439288-2089140637 Account Name: D483BBBA-9665-4CE1-B87F-27449DC1857C Account Domain: NT VIRTUAL MACHINE Logon ID: 0xEDB5B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614503Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:00 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D483BBBA-9665-4CE1-B87F-27449DC1857C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614502Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:00 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3565403066-1289852517-1143439288-2089140637 Account Name: D483BBBA-9665-4CE1-B87F-27449DC1857C Account Domain: NT VIRTUAL MACHINE Logon ID: 0xECACA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614501Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:00 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3565403066-1289852517-1143439288-2089140637 Account Name: D483BBBA-9665-4CE1-B87F-27449DC1857C Account Domain: NT VIRTUAL MACHINE Logon ID: 0xECC1A Privileges: SeImpersonatePrivilege467200125480-921436483760003481614500Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:00 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3565403066-1289852517-1143439288-2089140637 Account Name: D483BBBA-9665-4CE1-B87F-27449DC1857C Account Domain: NT VIRTUAL MACHINE Logon ID: 0xECC1A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614499Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:00 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D483BBBA-9665-4CE1-B87F-27449DC1857C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614498Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:00 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3565403066-1289852517-1143439288-2089140637 Account Name: D483BBBA-9665-4CE1-B87F-27449DC1857C Account Domain: NT VIRTUAL MACHINE Logon ID: 0xECBC1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614497Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:00 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3565403066-1289852517-1143439288-2089140637 Account Name: D483BBBA-9665-4CE1-B87F-27449DC1857C Account Domain: NT VIRTUAL MACHINE Logon ID: 0xECBC1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614496Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:00 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3565403066-1289852517-1143439288-2089140637 Account Name: D483BBBA-9665-4CE1-B87F-27449DC1857C Account Domain: NT VIRTUAL MACHINE Logon ID: 0xECBC1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614495Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:00 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D483BBBA-9665-4CE1-B87F-27449DC1857C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614494Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:00 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3565403066-1289852517-1143439288-2089140637 Account Name: D483BBBA-9665-4CE1-B87F-27449DC1857C Account Domain: NT VIRTUAL MACHINE Logon ID: 0xECB74 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614493Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:00 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3565403066-1289852517-1143439288-2089140637 Account Name: D483BBBA-9665-4CE1-B87F-27449DC1857C Account Domain: NT VIRTUAL MACHINE Logon ID: 0xECB74 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614492Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:00 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3565403066-1289852517-1143439288-2089140637 Account Name: D483BBBA-9665-4CE1-B87F-27449DC1857C Account Domain: NT VIRTUAL MACHINE Logon ID: 0xECB74 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614491Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:00 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D483BBBA-9665-4CE1-B87F-27449DC1857C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614490Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:46:00 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3565403066-1289852517-1143439288-2089140637 Account Name: D483BBBA-9665-4CE1-B87F-27449DC1857C Account Domain: NT VIRTUAL MACHINE Logon ID: 0xECACA Privileges: SeImpersonatePrivilege467200125480-921436483760003481614489Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:59 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3565403066-1289852517-1143439288-2089140637 Account Name: D483BBBA-9665-4CE1-B87F-27449DC1857C Account Domain: NT VIRTUAL MACHINE Logon ID: 0xECACA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614488Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:59 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D483BBBA-9665-4CE1-B87F-27449DC1857C Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614487Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:59 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3467391528-1215129794-3529096076-622962639 Account Name: CEAC3228-68C2-486D-8CBB-59D2CFA72125 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCFDD7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614486Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:52 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon ID: 0xEA20F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {09690AB9-87DA-CB73-BD5E-2935EA1F4C7A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.222.0.13 Source Port: 57198 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614485Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:52 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: Administrator Account Domain: CBCI-858383-10 Logon ID: 0xEA20F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614484Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:52 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2267236088-1299894826-255340951-1163062042 Account Name: 872346F8-D22A-4D7A-9731-380F1AEB5245 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE4DED Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614483Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:47 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2267236088-1299894826-255340951-1163062042 Account Name: 872346F8-D22A-4D7A-9731-380F1AEB5245 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE4DED Privileges: SeImpersonatePrivilege467200125480-921436483760003481614482Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:47 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2267236088-1299894826-255340951-1163062042 Account Name: 872346F8-D22A-4D7A-9731-380F1AEB5245 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE4DED Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614481Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:47 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 872346F8-D22A-4D7A-9731-380F1AEB5245 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614480Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:47 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2267236088-1299894826-255340951-1163062042 Account Name: 872346F8-D22A-4D7A-9731-380F1AEB5245 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE0CDF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614479Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:41 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2267236088-1299894826-255340951-1163062042 Account Name: 872346F8-D22A-4D7A-9731-380F1AEB5245 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE0CDF Privileges: SeImpersonatePrivilege467200125480-921436483760003481614478Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:41 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2267236088-1299894826-255340951-1163062042 Account Name: 872346F8-D22A-4D7A-9731-380F1AEB5245 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xE0CDF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614477Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:41 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 872346F8-D22A-4D7A-9731-380F1AEB5245 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614476Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:41 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2267236088-1299894826-255340951-1163062042 Account Name: 872346F8-D22A-4D7A-9731-380F1AEB5245 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDFE7C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614475Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:41 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2267236088-1299894826-255340951-1163062042 Account Name: 872346F8-D22A-4D7A-9731-380F1AEB5245 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDFFD1 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614474Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:41 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2267236088-1299894826-255340951-1163062042 Account Name: 872346F8-D22A-4D7A-9731-380F1AEB5245 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDFFD1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614473Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:41 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 872346F8-D22A-4D7A-9731-380F1AEB5245 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614472Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:41 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2267236088-1299894826-255340951-1163062042 Account Name: 872346F8-D22A-4D7A-9731-380F1AEB5245 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDFF78 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614471Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:41 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2267236088-1299894826-255340951-1163062042 Account Name: 872346F8-D22A-4D7A-9731-380F1AEB5245 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDFF78 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614470Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:41 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2267236088-1299894826-255340951-1163062042 Account Name: 872346F8-D22A-4D7A-9731-380F1AEB5245 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDFF78 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614469Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:41 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 872346F8-D22A-4D7A-9731-380F1AEB5245 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614468Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:41 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2267236088-1299894826-255340951-1163062042 Account Name: 872346F8-D22A-4D7A-9731-380F1AEB5245 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDFF21 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614467Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:41 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2267236088-1299894826-255340951-1163062042 Account Name: 872346F8-D22A-4D7A-9731-380F1AEB5245 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDFF21 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614466Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:41 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2267236088-1299894826-255340951-1163062042 Account Name: 872346F8-D22A-4D7A-9731-380F1AEB5245 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDFF21 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614465Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:41 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 872346F8-D22A-4D7A-9731-380F1AEB5245 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614464Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:41 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2267236088-1299894826-255340951-1163062042 Account Name: 872346F8-D22A-4D7A-9731-380F1AEB5245 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDFE7C Privileges: SeImpersonatePrivilege467200125480-921436483760003481614463Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:41 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2267236088-1299894826-255340951-1163062042 Account Name: 872346F8-D22A-4D7A-9731-380F1AEB5245 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDFE7C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614462Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:41 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 872346F8-D22A-4D7A-9731-380F1AEB5245 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614461Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:41 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2810661067-1080593896-1949816754-3818764397 Account Name: A78748CB-8DE8-4068-B2D7-37746DB89DE3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD65AB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614460Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:40 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2810661067-1080593896-1949816754-3818764397 Account Name: A78748CB-8DE8-4068-B2D7-37746DB89DE3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDB1B0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614459Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:35 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2810661067-1080593896-1949816754-3818764397 Account Name: A78748CB-8DE8-4068-B2D7-37746DB89DE3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDB1B0 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614458Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2810661067-1080593896-1949816754-3818764397 Account Name: A78748CB-8DE8-4068-B2D7-37746DB89DE3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xDB1B0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614457Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A78748CB-8DE8-4068-B2D7-37746DB89DE3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614456Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:35 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2810661067-1080593896-1949816754-3818764397 Account Name: A78748CB-8DE8-4068-B2D7-37746DB89DE3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD72B4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614455Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:27 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2810661067-1080593896-1949816754-3818764397 Account Name: A78748CB-8DE8-4068-B2D7-37746DB89DE3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD72B4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614454Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:27 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2810661067-1080593896-1949816754-3818764397 Account Name: A78748CB-8DE8-4068-B2D7-37746DB89DE3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD72B4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614453Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:27 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A78748CB-8DE8-4068-B2D7-37746DB89DE3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614452Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:27 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2810661067-1080593896-1949816754-3818764397 Account Name: A78748CB-8DE8-4068-B2D7-37746DB89DE3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD645A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614451Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:26 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2810661067-1080593896-1949816754-3818764397 Account Name: A78748CB-8DE8-4068-B2D7-37746DB89DE3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD65AB Privileges: SeImpersonatePrivilege467200125480-921436483760003481614450Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2810661067-1080593896-1949816754-3818764397 Account Name: A78748CB-8DE8-4068-B2D7-37746DB89DE3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD65AB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614449Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A78748CB-8DE8-4068-B2D7-37746DB89DE3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614448Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2810661067-1080593896-1949816754-3818764397 Account Name: A78748CB-8DE8-4068-B2D7-37746DB89DE3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD6552 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614447Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:26 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2810661067-1080593896-1949816754-3818764397 Account Name: A78748CB-8DE8-4068-B2D7-37746DB89DE3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD6552 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614446Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2810661067-1080593896-1949816754-3818764397 Account Name: A78748CB-8DE8-4068-B2D7-37746DB89DE3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD6552 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614445Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A78748CB-8DE8-4068-B2D7-37746DB89DE3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614444Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2810661067-1080593896-1949816754-3818764397 Account Name: A78748CB-8DE8-4068-B2D7-37746DB89DE3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD6509 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614443Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:26 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2810661067-1080593896-1949816754-3818764397 Account Name: A78748CB-8DE8-4068-B2D7-37746DB89DE3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD6509 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614442Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2810661067-1080593896-1949816754-3818764397 Account Name: A78748CB-8DE8-4068-B2D7-37746DB89DE3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD6509 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614441Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A78748CB-8DE8-4068-B2D7-37746DB89DE3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614440Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2810661067-1080593896-1949816754-3818764397 Account Name: A78748CB-8DE8-4068-B2D7-37746DB89DE3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD645A Privileges: SeImpersonatePrivilege467200125480-921436483760003481614439Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2810661067-1080593896-1949816754-3818764397 Account Name: A78748CB-8DE8-4068-B2D7-37746DB89DE3 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD645A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614438Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: A78748CB-8DE8-4068-B2D7-37746DB89DE3 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614437Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:26 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3467391528-1215129794-3529096076-622962639 Account Name: CEAC3228-68C2-486D-8CBB-59D2CFA72125 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD4AFF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614436Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:22 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3467391528-1215129794-3529096076-622962639 Account Name: CEAC3228-68C2-486D-8CBB-59D2CFA72125 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD4AFF Privileges: SeImpersonatePrivilege467200125480-921436483760003481614435Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3467391528-1215129794-3529096076-622962639 Account Name: CEAC3228-68C2-486D-8CBB-59D2CFA72125 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD4AFF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614434Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CEAC3228-68C2-486D-8CBB-59D2CFA72125 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614433Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:22 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3467391528-1215129794-3529096076-622962639 Account Name: CEAC3228-68C2-486D-8CBB-59D2CFA72125 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD0AB4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614432Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:10 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3467391528-1215129794-3529096076-622962639 Account Name: CEAC3228-68C2-486D-8CBB-59D2CFA72125 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD0AB4 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614431Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:10 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3467391528-1215129794-3529096076-622962639 Account Name: CEAC3228-68C2-486D-8CBB-59D2CFA72125 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xD0AB4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614430Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:10 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CEAC3228-68C2-486D-8CBB-59D2CFA72125 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614429Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:10 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3467391528-1215129794-3529096076-622962639 Account Name: CEAC3228-68C2-486D-8CBB-59D2CFA72125 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCFC90 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614428Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:10 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3467391528-1215129794-3529096076-622962639 Account Name: CEAC3228-68C2-486D-8CBB-59D2CFA72125 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCFDD7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614427Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:10 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3467391528-1215129794-3529096076-622962639 Account Name: CEAC3228-68C2-486D-8CBB-59D2CFA72125 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCFDD7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614426Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:10 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CEAC3228-68C2-486D-8CBB-59D2CFA72125 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614425Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:10 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3467391528-1215129794-3529096076-622962639 Account Name: CEAC3228-68C2-486D-8CBB-59D2CFA72125 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCFD7E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614424Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:10 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3467391528-1215129794-3529096076-622962639 Account Name: CEAC3228-68C2-486D-8CBB-59D2CFA72125 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCFD7E Privileges: SeImpersonatePrivilege467200125480-921436483760003481614423Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:10 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3467391528-1215129794-3529096076-622962639 Account Name: CEAC3228-68C2-486D-8CBB-59D2CFA72125 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCFD7E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614422Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:10 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CEAC3228-68C2-486D-8CBB-59D2CFA72125 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614421Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:10 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3467391528-1215129794-3529096076-622962639 Account Name: CEAC3228-68C2-486D-8CBB-59D2CFA72125 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCFD35 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614420Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:10 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3467391528-1215129794-3529096076-622962639 Account Name: CEAC3228-68C2-486D-8CBB-59D2CFA72125 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCFD35 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614419Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:10 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3467391528-1215129794-3529096076-622962639 Account Name: CEAC3228-68C2-486D-8CBB-59D2CFA72125 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCFD35 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614418Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:10 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CEAC3228-68C2-486D-8CBB-59D2CFA72125 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614417Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:10 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3467391528-1215129794-3529096076-622962639 Account Name: CEAC3228-68C2-486D-8CBB-59D2CFA72125 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCFC90 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614416Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:10 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3467391528-1215129794-3529096076-622962639 Account Name: CEAC3228-68C2-486D-8CBB-59D2CFA72125 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xCFC90 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614415Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:10 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CEAC3228-68C2-486D-8CBB-59D2CFA72125 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614414Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:10 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-707173045-1220857395-2158526113-1442561517 Account Name: 2A269AB5-CE33-48C4-A17E-A880EDBDFB55 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xB86EA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614413Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:45:01 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-707173045-1220857395-2158526113-1442561517 Account Name: 2A269AB5-CE33-48C4-A17E-A880EDBDFB55 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC56D7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614412Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:44:55 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-707173045-1220857395-2158526113-1442561517 Account Name: 2A269AB5-CE33-48C4-A17E-A880EDBDFB55 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC56D7 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614411Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:44:55 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-707173045-1220857395-2158526113-1442561517 Account Name: 2A269AB5-CE33-48C4-A17E-A880EDBDFB55 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xC56D7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614410Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:44:55 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2A269AB5-CE33-48C4-A17E-A880EDBDFB55 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614409Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:44:55 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614408Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:44:48 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614407Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:44:48 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-707173045-1220857395-2158526113-1442561517 Account Name: 2A269AB5-CE33-48C4-A17E-A880EDBDFB55 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xBA931 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614406Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-858383-10.cbci-858383-10.local10/12/2022 8:44:48 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-707173045-1220857395-2158526113-1442561517 Account Name: 2A269AB5-CE33-48C4-A17E-A880EDBDFB55 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xBA931 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614405Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:44:48 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-707173045-1220857395-2158526113-1442561517 Account Name: 2A269AB5-CE33-48C4-A17E-A880EDBDFB55 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xBA931 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614404Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:44:48 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2A269AB5-CE33-48C4-A17E-A880EDBDFB55 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614403Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:44:48 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-707173045-1220857395-2158526113-1442561517 Account Name: 2A269AB5-CE33-48C4-A17E-A880EDBDFB55 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xB7570 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614402Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:44:47 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-707173045-1220857395-2158526113-1442561517 Account Name: 2A269AB5-CE33-48C4-A17E-A880EDBDFB55 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xB86EA Privileges: SeImpersonatePrivilege467200125480-921436483760003481614401Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:44:47 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-707173045-1220857395-2158526113-1442561517 Account Name: 2A269AB5-CE33-48C4-A17E-A880EDBDFB55 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xB86EA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614400Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:44:47 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2A269AB5-CE33-48C4-A17E-A880EDBDFB55 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614399Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:44:47 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-707173045-1220857395-2158526113-1442561517 Account Name: 2A269AB5-CE33-48C4-A17E-A880EDBDFB55 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xB8031 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614398Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:44:47 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-707173045-1220857395-2158526113-1442561517 Account Name: 2A269AB5-CE33-48C4-A17E-A880EDBDFB55 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xB8031 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614397Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:44:47 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-707173045-1220857395-2158526113-1442561517 Account Name: 2A269AB5-CE33-48C4-A17E-A880EDBDFB55 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xB8031 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614396Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:44:47 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2A269AB5-CE33-48C4-A17E-A880EDBDFB55 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614395Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:44:47 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-707173045-1220857395-2158526113-1442561517 Account Name: 2A269AB5-CE33-48C4-A17E-A880EDBDFB55 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xB7F6D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614394Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:44:47 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-707173045-1220857395-2158526113-1442561517 Account Name: 2A269AB5-CE33-48C4-A17E-A880EDBDFB55 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xB7F6D Privileges: SeImpersonatePrivilege467200125480-921436483760003481614393Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:44:47 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-707173045-1220857395-2158526113-1442561517 Account Name: 2A269AB5-CE33-48C4-A17E-A880EDBDFB55 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xB7F6D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614392Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:44:47 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2A269AB5-CE33-48C4-A17E-A880EDBDFB55 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614391Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:44:47 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-707173045-1220857395-2158526113-1442561517 Account Name: 2A269AB5-CE33-48C4-A17E-A880EDBDFB55 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xB7570 Privileges: SeImpersonatePrivilege467200125480-921436483760003481614390Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:44:47 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-707173045-1220857395-2158526113-1442561517 Account Name: 2A269AB5-CE33-48C4-A17E-A880EDBDFB55 Account Domain: NT VIRTUAL MACHINE Logon ID: 0xB7570 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614389Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:44:47 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2A269AB5-CE33-48C4-A17E-A880EDBDFB55 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614388Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:44:47 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: Admin Account Domain: N-H1-858383-10 Logon ID: 0x2A392 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xfdc Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe479900138260-921436483760003481614387Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:43:02 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0505900122920-921436483760003481614386Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:42:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614385Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:42:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_ed954c31-dfcf-4e3d-96ad-f23d2622b4cd Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614384Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:42:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1000 Account Name: cloudbase-init Account Domain: N-H1-858383-10 Logon ID: 0x1519F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614383Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-858383-10.cbci-858383-10.local10/12/2022 8:41:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: administrator Account Domain: CBCI-858383-10 Logon ID: 0x69C06 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614382Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:41:48 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: administrator Account Domain: CBCI-858383-10 Logon ID: 0x69C06 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {4A36416C-16BE-19B6-5D60-C05FFBDEF292} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: N-H1-858383-10 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614381Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:41:48 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: administrator Account Domain: CBCI-858383-10 Logon GUID: {4A36416C-16BE-19B6-5D60-C05FFBDEF292} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614380Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:41:48 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x5b8 Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614379Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-858383-10.cbci-858383-10.local10/12/2022 8:41:45 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: administrator Account Domain: CBCI-858383-10 Logon ID: 0x51259 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614378Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-858383-10.cbci-858383-10.local10/12/2022 8:41:43 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1468863256-883949734-1651470213-500 Account Name: administrator Account Domain: CBCI-858383-10 Logon ID: 0x51259 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {68342E43-CEAA-8893-3913-39AEAFF1E5FD} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: N-H1-858383-10 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614377Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-858383-10.cbci-858383-10.local10/12/2022 8:41:43 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: administrator Account Domain: CBCI-858383-10 Logon GUID: {68342E43-CEAA-8893-3913-39AEAFF1E5FD} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614376Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-858383-10.cbci-858383-10.local10/12/2022 8:41:43 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x4BB84 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614375Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:41:34 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x4BB84 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B629EE42-0225-0E62-1B57-9A89A6ADE8C4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614374Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:41:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x4BB84 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614373Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:41:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10.LOCAL Logon GUID: {17E3E4A5-95DE-C09E-A3C1-9BF1375F70FD} Target Server: Target Server Name: n-h1-858383-10$ Additional Information: n-h1-858383-10$ Process Information: Process ID: 0xa2c Process Name: C:\Windows\System32\taskhostw.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614372Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:41:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x4A0A5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614371Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:41:34 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x4A0A5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9E2CF86A-A0EB-C4C8-063F-AE7F4D1ED5DC} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614370Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:41:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x4A0A5 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614369Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:41:34 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E450 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614368Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:41:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x3E450 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {82DD3566-F7F5-5BD5-2940-7829C80551BE} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614367Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:41:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E450 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614366Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:41:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10.LOCAL Logon GUID: {3D885F1C-7ABC-BFCC-B168-8643E7F2E72B} Target Server: Target Server Name: n-h1-858383-10$ Additional Information: n-h1-858383-10$ Process Information: Process ID: 0x1300 Process Name: C:\Windows\System32\taskhostw.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614365Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:41:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3BFCE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614364Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:41:24 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x3BFCE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9E2CF86A-A0EB-C4C8-063F-AE7F4D1ED5DC} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614363Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:41:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3BFCE Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614362Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:41:24 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1000 Account Name: cloudbase-init Account Domain: N-H1-858383-10 Logon ID: 0x2B2CC Logon Type: 4 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614361Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:41:20 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
System security access was granted to an account. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: Admin Account Domain: N-H1-858383-10 Logon ID: 0x2A392 Account Modified: Account Name: S-1-5-21-1468863256-883949734-1651470213-500 Access Granted: Access Right: SeServiceLogonRight471700135690-921436483760003481614360Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:41:16 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoAuthentication Policy ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614359Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:41:10 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614358Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:41:10 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x323B9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614357Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-858383-10.cbci-858383-10.local10/12/2022 8:41:10 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x323B9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {84E99985-E4A5-0D0C-01BD-417D3285A981} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614356Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-858383-10.cbci-858383-10.local10/12/2022 8:41:10 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x323B9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614355Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-858383-10.cbci-858383-10.local10/12/2022 8:41:10 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10.LOCAL Logon GUID: {500116E6-A3BE-721F-8E1D-DC1F615B07FA} Target Server: Target Server Name: n-h1-858383-10$ Additional Information: n-h1-858383-10$ Process Information: Process ID: 0xc04 Process Name: C:\Windows\System32\taskhostw.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614354Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-858383-10.cbci-858383-10.local10/12/2022 8:41:10 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1000 Account Name: cloudbase-init Account Domain: N-H1-858383-10 Logon ID: 0x2B2CC Privileges: SeAssignPrimaryTokenPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614353Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-858383-10.cbci-858383-10.local10/12/2022 8:41:04 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1000 Account Name: cloudbase-init Account Domain: N-H1-858383-10 Logon ID: 0x1519F Logon Information: Logon Type: 4 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-829555393-2678343407-944722937-1000 Account Name: cloudbase-init Account Domain: N-H1-858383-10 Logon ID: 0x2B2CC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa2c Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe Network Information: Workstation Name: N-H1-858383-10 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614352Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-858383-10.cbci-858383-10.local10/12/2022 8:41:04 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: cloudbase-init Source Workstation: N-H1-858383-10 Error Code: 0x0477600143360-921436483760003481614351Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-858383-10.cbci-858383-10.local10/12/2022 8:41:04 AM52295d9f-de16-0000-dd5d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1000 Account Name: cloudbase-init Account Domain: N-H1-858383-10 Logon ID: 0x1519F Target Account: Security ID: S-1-5-21-829555393-2678343407-944722937-1000 Account Name: cloudbase-init Account Domain: N-H1-858383-10472400138240-921436483760003481614350Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-858383-10.cbci-858383-10.local10/12/2022 8:41:04 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1000 Account Name: cloudbase-init Account Domain: N-H1-858383-10 Logon ID: 0x1519F Target Account: Security ID: S-1-5-21-829555393-2678343407-944722937-1000 Account Name: cloudbase-init Account Domain: N-H1-858383-10 Changed Attributes: SAM Account Name: cloudbase-init Display Name: cloudbase-init User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 10/12/2022 8:41:04 AM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x210 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614349Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-858383-10.cbci-858383-10.local10/12/2022 8:41:04 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1000 Account Name: cloudbase-init Account Domain: N-H1-858383-10 Logon ID: 0x1519F User: Security ID: S-1-5-21-829555393-2678343407-944722937-1000 Account Name: cloudbase-init Account Domain: N-H1-858383-10 Process Information: Process ID: 0xa2c Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe479800138240-921436483760003481614348Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-858383-10.cbci-858383-10.local10/12/2022 8:41:04 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1000 Account Name: cloudbase-init Account Domain: N-H1-858383-10 Logon ID: 0x1519F User: Security ID: S-1-5-21-829555393-2678343407-944722937-1000 Account Name: cloudbase-init Account Domain: N-H1-858383-10 Process Information: Process ID: 0xa2c Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe479800138240-921436483760003481614347Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-858383-10.cbci-858383-10.local10/12/2022 8:41:04 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x5b8 Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614346Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-858383-10.cbci-858383-10.local10/12/2022 8:41:04 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: Admin Account Domain: N-H1-858383-10 Logon ID: 0x2A392 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614345Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-858383-10.cbci-858383-10.local10/12/2022 8:41:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: Admin Account Domain: N-H1-858383-10 Logon ID: 0x2A392 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x460 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H1-858383-10 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614344Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-858383-10.cbci-858383-10.local10/12/2022 8:41:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H1-858383-10 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x460 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614343Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-858383-10.cbci-858383-10.local10/12/2022 8:41:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H1-858383-10 Error Code: 0x0477600143360-921436483760003481614342Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-858383-10.cbci-858383-10.local10/12/2022 8:41:03 AM52295d9f-de16-0001-f25d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 092da5ec-03c9-46ee-b638-7f74299d15a7 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614341Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-858383-10.cbci-858383-10.local10/12/2022 8:41:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: 092da5ec-03c9-46ee-b638-7f74299d15a7 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\7c0716aca5783122b8c98496c5201d00_ed954c31-dfcf-4e3d-96ad-f23d2622b4cd Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614340Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-858383-10.cbci-858383-10.local10/12/2022 8:41:03 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x2534E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614339Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-858383-10.cbci-858383-10.local10/12/2022 8:41:00 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x2534E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {9E2CF86A-A0EB-C4C8-063F-AE7F4D1ED5DC} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614338Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:41:00 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x2534E Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614337Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:41:00 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe479900138260-921436483760003481614336Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:41:00 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x9f0 Process Name: C:\Windows\System32\vmms.exe479900138260-921436483760003481614335Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:41:00 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614334Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:59 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614333Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:59 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614332Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:59 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614331Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:59 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Domain Policy was changed. Change Type: Password Policy modified Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Domain: Domain Name: N-H1-858383-10 Domain ID: S-1-5-21-829555393-2678343407-944722937 Changed Attributes: Min. Password Age: Max. Password Age: Force Logoff: Lockout Threshold: Lockout Observation Window: Lockout Duration: Password Properties: Min. Password Length: Password History Length: - Machine Account Quota: - Mixed Domain Mode: - Domain Behavior Version: - OEM Information: 1 Additional Information: Privileges: -473900135690-921436483760003481614330Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:59 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoAuthentication Policy ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x1D395 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614329Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:57 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x1D395 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A2AD8B89-26A5-23A2-B2EA-0EF0AEC0CBEC} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614328Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x1D395 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614327Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x1C4D6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614326Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:57 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10.LOCAL Logon ID: 0x1C4D6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A2AD8B89-26A5-23A2-B2EA-0EF0AEC0CBEC} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614325Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x1C4D6 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614324Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614323Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_ed954c31-dfcf-4e3d-96ad-f23d2622b4cd Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614322Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614321Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_ed954c31-dfcf-4e3d-96ad-f23d2622b4cd Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614320Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall service started successfully.502400122920-921436483760003481614319Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x5b8 Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614318Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:57 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x169BB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614317Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614316Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614315Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614314Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614313Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614312Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614311Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E4 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x460 Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614310Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x460 Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614309Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1000 Account Name: cloudbase-init Account Domain: N-H1-858383-10 Logon ID: 0x1519F Privileges: SeAssignPrimaryTokenPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614308Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-829555393-2678343407-944722937-1000 Account Name: cloudbase-init Account Domain: N-H1-858383-10 Logon ID: 0x1519F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: N-H1-858383-10 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614307Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: cloudbase-init Account Domain: N-H1-858383-10 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614306Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: cloudbase-init Source Workstation: N-H1-858383-10 Error Code: 0x0477600143360-921436483760003481614305Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:56 AM52295d9f-de16-0001-c35d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614304Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614303Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614302Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614301Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202304n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:56 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614300Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:55 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614299Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202200n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:55 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall Driver started successfully.503300122920-921436483760003481614298Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity432n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:55 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x5b8 Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614297Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:55 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x5b8 Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614296Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:55 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x604 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614295Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820908n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:55 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x604 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614294Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820908n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:55 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x604 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614293Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820908n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:55 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x604 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614292Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820908n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:55 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x604 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614291Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820908n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:55 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x604 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614290Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820908n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:55 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x604 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614289Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:55 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x604 Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614288Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820908n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:55 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614287Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820908n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:55 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614286Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820908n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:55 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614285Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:55 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614284Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:55 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614283Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:55 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614282Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820488n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:55 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x3c4 Name: C:\Windows\System32\svchost.exe Previous Time: ?2022?-?10?-?12T08:40:55.078406900Z New Time: ?2022?-?10?-?12T08:40:54.905000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.461610122880-921436483760003481614281Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity432n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:54 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity State ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614280Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820908n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:55 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614279Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820908n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:55 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614278Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820908n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:54 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614277Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820908n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:54 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege467200125480-921436483760003481614276Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:54 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614275Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:54 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xC83C Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege467200125480-921436483760003481614274Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:54 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xC7EE Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege467200125480-921436483760003481614273Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:54 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xC83C Linked Logon ID: 0xC7EE Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d8 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614272Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:54 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xC7EE Linked Logon ID: 0xC83C Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d8 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614271Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:54 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2d8 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614270Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:54 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege467200125480-921436483760003481614269Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:54 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614268Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:54 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614267Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:53 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: CBCI-858383-10 Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614266Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820888n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:53 AM52295d9f-de16-0005-a45d-295216ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x6543490200135680-921436483760003481614265Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820864n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:53 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoAudit Policy ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614264Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820824n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:52 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.460800122880-921436483760003481614263Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820824n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:52 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity State ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x334 New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2ac Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481614262Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4224n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:52 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x324 New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2ac Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481614261Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4224n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:51 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d8 New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x294 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481614260Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4224n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:51 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2ac New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x23c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481614259Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4224n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:51 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x29c New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x294 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481614258Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4224n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:51 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x294 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x18c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481614257Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4224n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:51 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x248 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x23c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481614256Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4500n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:50 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x23c New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x18c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481614255Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4500n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:50 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x210 New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x18c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481614254Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4224n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:48 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x18c New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481614253Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:47 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x188 New Process Name: Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481614252Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:47 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Auto Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Auto HyperVisor Debugging: No482600135730-921436483760003481614251Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136n-h1-858383-10.cbci-858383-10.local10/12/2022 8:40:47 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther Policy Change EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x5a0 Name: C:\Windows\System32\svchost.exe Previous Time: ?2022?-?10?-?12T08:40:36.420550200Z New Time: ?2022?-?10?-?12T08:40:36.410000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.461610122880-921436483760003481614250Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity43312n-h1-858383-1010/12/2022 8:40:36 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity State ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: Admin Account Domain: N-H1-858383-10 Logon ID: 0x61C158 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614249Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8201928n-h1-858383-1010/12/2022 8:40:36 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: Admin Account Domain: N-H1-858383-10 Logon ID: 0x61C158 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H1-858383-10 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614248Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8201928n-h1-858383-1010/12/2022 8:40:36 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H1-858383-10 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614247Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8201928n-h1-858383-1010/12/2022 8:40:36 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H1-858383-10 Error Code: 0x0477600143360-921436483760003481614246Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8201928n-h1-858383-1010/12/2022 8:40:36 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The event logging service has shut down.1100041030462069321768212889614245Microsoft-Windows-Eventlogfc65ddd8-d6ef-4962-83d5-6e5cfe9ce148Security14484504n-h1-858383-1010/12/2022 8:40:36 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoService shutdownSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A member was added to a security-enabled local group. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: Admin Account Domain: N-H1-858383-10 Logon ID: 0x11F010 Member: Security ID: S-1-5-21-1468863256-883949734-1651470213-513 Account Name: - Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Additional Information: Privileges: -473200138260-921436483760003481614244Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205052n-h1-858383-1010/12/2022 8:40:31 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A member was added to a security-enabled local group. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: Admin Account Domain: N-H1-858383-10 Logon ID: 0x11F010 Member: Security ID: S-1-5-21-1468863256-883949734-1651470213-512 Account Name: - Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Additional Information: Privileges: -473200138260-921436483760003481614243Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204868n-h1-858383-1010/12/2022 8:40:31 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: Admin Account Domain: N-H1-858383-10 Logon ID: 0x11F010 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-858383-10.cbci-858383-10.local Additional Information: cifs/n-ad-858383-10.cbci-858383-10.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.44 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614242Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204868n-h1-858383-1010/12/2022 8:40:31 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: Admin Account Domain: N-H1-858383-10 Logon ID: 0x11F010 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-858383-10.cbci-858383-10.local Additional Information: cifs/n-ad-858383-10.cbci-858383-10.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.44 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614241Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204868n-h1-858383-1010/12/2022 8:40:31 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: Admin Account Domain: N-H1-858383-10 Logon ID: 0x11F010 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-858383-10.cbci-858383-10.local Additional Information: cifs/n-ad-858383-10.cbci-858383-10.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.44 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614240Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8204868n-h1-858383-1010/12/2022 8:40:31 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: Admin Account Domain: N-H1-858383-10 Logon ID: 0x11F010 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-858383-10.cbci-858383-10.local Additional Information: cifs/n-ad-858383-10.cbci-858383-10.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.44 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614239Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205052n-h1-858383-1010/12/2022 8:40:31 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: Admin Account Domain: N-H1-858383-10 Logon ID: 0x11F010 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-858383-10.cbci-858383-10.local Additional Information: cifs/n-ad-858383-10.cbci-858383-10.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.44 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614238Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-858383-1010/12/2022 8:40:31 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: Admin Account Domain: N-H1-858383-10 Logon ID: 0x11F010 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-858383-10.cbci-858383-10.local Additional Information: cifs/n-ad-858383-10.cbci-858383-10.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.44 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614237Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205052n-h1-858383-1010/12/2022 8:40:31 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: Admin Account Domain: N-H1-858383-10 Logon ID: 0x11F010 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-858383-10.cbci-858383-10.local Additional Information: cifs/n-ad-858383-10.cbci-858383-10.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.44 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614236Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8205052n-h1-858383-1010/12/2022 8:40:31 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: Admin Account Domain: N-H1-858383-10 Logon ID: 0x11F010 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: n-ad-858383-10.cbci-858383-10.local Additional Information: LDAP/n-ad-858383-10.cbci-858383-10.local Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 10.222.0.44 Port: 49666 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614235Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-858383-1010/12/2022 8:40:31 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: Admin Account Domain: N-H1-858383-10 Logon ID: 0x11F010 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon GUID: {388B904F-AB41-5643-9491-86DB03BF1DA1} Target Server: Target Server Name: n-ad-858383-10.cbci-858383-10.local Additional Information: ldap/n-ad-858383-10.cbci-858383-10.local Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614234Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-858383-1010/12/2022 8:40:31 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: Admin Account Domain: N-H1-858383-10 Logon ID: 0x11F010 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: CBCI-858383-10.LOCAL Logon GUID: {388B904F-AB41-5643-9491-86DB03BF1DA1} Target Server: Target Server Name: n-ad-858383-10.cbci-858383-10.local Additional Information: cifs/n-ad-858383-10.cbci-858383-10.local Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: 10.222.0.44 Port: 445 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614233Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-858383-1010/12/2022 8:40:31 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: Admin Account Domain: N-H1-858383-10 Logon ID: 0x11F010 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1310 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe479900138260-921436483760003481614232Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-858383-1010/12/2022 8:40:15 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614231Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-858383-1010/12/2022 8:23:33 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614230Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-858383-1010/12/2022 8:23:33 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614229Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-858383-1010/12/2022 8:09:34 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614228Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-858383-1010/12/2022 8:09:34 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: Admin Account Domain: N-H1-858383-10 Logon ID: 0x11F010 User: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: Admin Account Domain: N-H1-858383-10 Process Information: Process ID: 0xc88 Process Name: C:\Program Files\Git\usr\bin\bash.exe479800138240-921436483760003481614227Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:09:25 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: Admin Account Domain: N-H1-858383-10 Logon ID: 0x11F010 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614226Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:06:41 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: Admin Account Domain: N-H1-858383-10 Logon ID: 0x11F010 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H1-858383-10 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614225Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:06:41 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H1-858383-10 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614224Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:06:41 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H1-858383-10 Error Code: 0x0477600143360-921436483760003481614223Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:06:41 AMdbd6bb76-de10-0003-34bf-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: Admin Account Domain: N-H1-858383-10 Logon ID: 0x1176C2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614222Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-858383-1010/12/2022 8:06:34 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: Admin Account Domain: N-H1-858383-10 Logon ID: 0x1176C2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H1-858383-10 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614221Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-858383-1010/12/2022 8:06:34 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H1-858383-10 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614220Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-858383-1010/12/2022 8:06:34 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H1-858383-10 Error Code: 0x0477600143360-921436483760003481614219Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-858383-1010/12/2022 8:06:34 AMdbd6bb76-de10-0004-99bd-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: Admin Account Domain: N-H1-858383-10 Logon ID: 0x1156DD Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614218Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-858383-1010/12/2022 8:06:34 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: Admin Account Domain: N-H1-858383-10 Logon ID: 0x1156DD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H1-858383-10 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614217Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-858383-1010/12/2022 8:06:34 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H1-858383-10 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614216Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-858383-1010/12/2022 8:06:34 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H1-858383-10 Error Code: 0x0477600143360-921436483760003481614215Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-858383-1010/12/2022 8:06:34 AMdbd6bb76-de10-0005-10bf-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: Admin Account Domain: N-H1-858383-10 Logon ID: 0x115064 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614214Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-858383-1010/12/2022 8:06:34 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: Admin Account Domain: N-H1-858383-10 Logon ID: 0x115064 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H1-858383-10 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614213Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-858383-1010/12/2022 8:06:34 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H1-858383-10 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614212Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-858383-1010/12/2022 8:06:34 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H1-858383-10 Error Code: 0x0477600143360-921436483760003481614211Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-858383-1010/12/2022 8:06:34 AMdbd6bb76-de10-0004-96bd-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: Admin Account Domain: N-H1-858383-10 Logon ID: 0x113352 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614210Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-858383-1010/12/2022 8:06:33 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: Admin Account Domain: N-H1-858383-10 Logon ID: 0x113352 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H1-858383-10 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614209Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-858383-1010/12/2022 8:06:33 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H1-858383-10 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614208Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-858383-1010/12/2022 8:06:33 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H1-858383-10 Error Code: 0x0477600143360-921436483760003481614207Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-858383-1010/12/2022 8:06:33 AMdbd6bb76-de10-0005-08bf-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: Admin Account Domain: N-H1-858383-10 Logon ID: 0x903EC Target Account: Security ID: S-1-5-21-829555393-2678343407-944722937-500 Account Name: Administrator Account Domain: N-H1-858383-10472400138240-921436483760003481614206Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-1010/12/2022 8:05:52 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: Admin Account Domain: N-H1-858383-10 Logon ID: 0x903EC Target Account: Security ID: S-1-5-21-829555393-2678343407-944722937-500 Account Name: Administrator Account Domain: N-H1-858383-10 Changed Attributes: SAM Account Name: Administrator Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 10/12/2022 8:05:52 AM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x10 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614205Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-1010/12/2022 8:05:52 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: Admin Account Domain: N-H1-858383-10 Logon ID: 0x903EC User: Security ID: S-1-5-21-829555393-2678343407-944722937-500 Account Name: Administrator Account Domain: N-H1-858383-10 Process Information: Process ID: 0xe2c Process Name: C:\Windows\System32\net1.exe479800138240-921436483760003481614204Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-1010/12/2022 8:05:52 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: Admin Account Domain: N-H1-858383-10 Logon ID: 0x903EC Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xa08 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe479900138260-921436483760003481614203Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-858383-1010/12/2022 8:05:39 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614202Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-1010/12/2022 8:05:24 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614201Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-1010/12/2022 8:05:24 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0505900122920-921436483760003481614200Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:04:03 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0505900122920-921436483760003481614199Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:04:03 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0505900122920-921436483760003481614198Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:04:03 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614197Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:04:03 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_ed954c31-dfcf-4e3d-96ad-f23d2622b4cd Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614196Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:04:03 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Create Key. Return Code: 0x0506100122900-921436483760003481614195Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:04:03 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_ed954c31-dfcf-4e3d-96ad-f23d2622b4cd Operation: Write persisted key to file. Return Code: 0x0505800122920-921436483760003481614194Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:04:03 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x80090016506100122900-921886843722740531214193Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:04:03 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Delete key file. Return Code: 0x0505800122920-921436483760003481614192Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:04:03 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614191Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:04:03 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614190Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:04:03 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0505900122920-921436483760003481614189Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:04:03 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614188Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:04:03 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614187Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:04:03 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: Admin Account Domain: N-H1-858383-10 Logon ID: 0x903EC Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614186Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h1-858383-1010/12/2022 8:03:09 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: Admin Account Domain: N-H1-858383-10 Logon ID: 0x903EC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H1-858383-10 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614185Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h1-858383-1010/12/2022 8:03:09 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H1-858383-10 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614184Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h1-858383-1010/12/2022 8:03:09 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H1-858383-10 Error Code: 0x0477600143360-921436483760003481614183Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h1-858383-1010/12/2022 8:03:09 AMdbd6bb76-de10-0000-a3bc-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1000 Account Name: cloudbase-init Account Domain: N-H1-858383-10 Logon ID: 0x2A938 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614182Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h1-858383-1010/12/2022 8:03:04 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x5a0 Name: C:\Windows\System32\svchost.exe Previous Time: ?2022?-?10?-?12T08:03:02.513603400Z New Time: ?2022?-?10?-?12T08:03:02.500000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.461610122880-921436483760003481614181Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4516n-h1-858383-1010/12/2022 8:03:02 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity State ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: Admin Account Domain: N-H1-858383-10 Logon ID: 0x8E69B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614180Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:02:51 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: Admin Account Domain: N-H1-858383-10 Logon ID: 0x8E69B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614179Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:02:51 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1000 Account Name: cloudbase-init Account Domain: N-H1-858383-10 Logon ID: 0x4EB48 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: Admin Account Domain: N-H1-858383-10 Logon ID: 0x8E69B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H1-858383-10 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614178Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:02:51 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1000 Account Name: cloudbase-init Account Domain: N-H1-858383-10 Logon ID: 0x4EB48 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H1-858383-10 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614177Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:02:51 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H1-858383-10 Error Code: 0x0477600143360-921436483760003481614176Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:02:51 AMdbd6bb76-de10-0001-68bc-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: 092da5ec-03c9-46ee-b638-7f74299d15a7 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614175Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:02:51 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: 092da5ec-03c9-46ee-b638-7f74299d15a7 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\7c0716aca5783122b8c98496c5201d00_ed954c31-dfcf-4e3d-96ad-f23d2622b4cd Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614174Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:02:51 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1000 Account Name: cloudbase-init Account Domain: N-H1-858383-10 Logon ID: 0x4EB48 Target Account: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: Admin Account Domain: N-H1-858383-10472400138240-921436483760003481614173Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:02:49 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1000 Account Name: cloudbase-init Account Domain: N-H1-858383-10 Logon ID: 0x4EB48 Target Account: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: Admin Account Domain: N-H1-858383-10 Changed Attributes: SAM Account Name: Admin Display Name: Admin User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 10/12/2022 8:02:49 AM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x210 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614172Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:02:49 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1000 Account Name: cloudbase-init Account Domain: N-H1-858383-10 Logon ID: 0x4EB48 User: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: Admin Account Domain: N-H1-858383-10 Process Information: Process ID: 0xc24 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe479800138240-921436483760003481614171Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:02:49 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1000 Account Name: cloudbase-init Account Domain: N-H1-858383-10 Logon ID: 0x4EB48 User: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: Admin Account Domain: N-H1-858383-10 Process Information: Process ID: 0xc24 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe479800138240-921436483760003481614170Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:02:49 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1000 Account Name: cloudbase-init Account Domain: N-H1-858383-10 Logon ID: 0x4EB48 User: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: Admin Account Domain: N-H1-858383-10 Process Information: Process ID: 0xc24 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe479800138240-921436483760003481614169Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:02:49 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614168Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:02:45 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614167Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:02:45 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1000 Account Name: cloudbase-init Account Domain: N-H1-858383-10 Logon ID: 0x4EB48 User: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: Admin Account Domain: N-H1-858383-10 Process Information: Process ID: 0xc24 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe479800138240-921436483760003481614166Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:02:45 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A member was added to a security-enabled local group. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1000 Account Name: cloudbase-init Account Domain: N-H1-858383-10 Logon ID: 0x4EB48 Member: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: - Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Additional Information: Privileges: -473200138260-921436483760003481614165Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:02:44 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: Admin Account Domain: N-H1-858383-10 Logon ID: 0x77F0A Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.463400125450-921436483760003481614164Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:02:44 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1000 Account Name: cloudbase-init Account Domain: N-H1-858383-10 Logon ID: 0x4EB48 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x26c Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614163Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:02:44 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1000 Account Name: cloudbase-init Account Domain: N-H1-858383-10 Logon ID: 0x4EB48 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: Admin Account Domain: N-H1-858383-10 Logon ID: 0x77F0A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xc24 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe Network Information: Workstation Name: N-H1-858383-10 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614162Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:02:42 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1000 Account Name: cloudbase-init Account Domain: N-H1-858383-10 Logon ID: 0x4EB48 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: N-H1-858383-10 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xc24 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614161Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:02:42 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: N-H1-858383-10 Error Code: 0x0477600143360-921436483760003481614160Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:02:42 AMdbd6bb76-de10-0003-2abc-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1000 Account Name: cloudbase-init Account Domain: N-H1-858383-10 Logon ID: 0x4EB48 Target Account: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: Admin Account Domain: N-H1-858383-10472400138240-921436483760003481614159Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:02:37 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1000 Account Name: cloudbase-init Account Domain: N-H1-858383-10 Logon ID: 0x4EB48 Target Account: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: Admin Account Domain: N-H1-858383-10 Changed Attributes: SAM Account Name: Admin Display Name: Admin User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 10/12/2022 8:02:37 AM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x15 New UAC Value: 0x210 User Account Control: Account Enabled 'Password Not Required' - Disabled 'Don't Expire Password' - Enabled User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614158Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:02:37 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was enabled. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1000 Account Name: cloudbase-init Account Domain: N-H1-858383-10 Logon ID: 0x4EB48 Target Account: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: Admin Account Domain: N-H1-858383-10472200138240-921436483760003481614157Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:02:37 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was created. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1000 Account Name: cloudbase-init Account Domain: N-H1-858383-10 Logon ID: 0x4EB48 New Account: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: Admin Account Domain: N-H1-858383-10 Attributes: SAM Account Name: Admin Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 Allowed To Delegate To: - Old UAC Value: 0x0 New UAC Value: 0x15 User Account Control: Account Disabled 'Password Not Required' - Enabled 'Normal Account' - Enabled User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges -472000138240-921436483760003481614156Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:02:37 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A member was added to a security-enabled global group. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1000 Account Name: cloudbase-init Account Domain: N-H1-858383-10 Logon ID: 0x4EB48 Member: Security ID: S-1-5-21-829555393-2678343407-944722937-1001 Account Name: - Group: Security ID: S-1-5-21-829555393-2678343407-944722937-513 Group Name: None Group Domain: N-H1-858383-10 Additional Information: Privileges: -472800138260-921436483760003481614155Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:02:37 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614154Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:02:13 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614153Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:02:13 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1000 Account Name: cloudbase-init Account Domain: N-H1-858383-10 Logon ID: 0x4EB48 Privileges: SeAssignPrimaryTokenPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614152Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:02:13 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1000 Account Name: cloudbase-init Account Domain: N-H1-858383-10 Logon ID: 0x2A938 Logon Information: Logon Type: 4 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-829555393-2678343407-944722937-1000 Account Name: cloudbase-init Account Domain: N-H1-858383-10 Logon ID: 0x4EB48 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xe34 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe Network Information: Workstation Name: N-H1-858383-10 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614151Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:02:13 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: cloudbase-init Source Workstation: N-H1-858383-10 Error Code: 0x0477600143360-921436483760003481614150Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:02:13 AMdbd6bb76-de10-0002-fdbb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1000 Account Name: cloudbase-init Account Domain: N-H1-858383-10 Logon ID: 0x2A938 Target Account: Security ID: S-1-5-21-829555393-2678343407-944722937-1000 Account Name: cloudbase-init Account Domain: N-H1-858383-10472400138240-921436483760003481614149Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:02:13 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1000 Account Name: cloudbase-init Account Domain: N-H1-858383-10 Logon ID: 0x2A938 Target Account: Security ID: S-1-5-21-829555393-2678343407-944722937-1000 Account Name: cloudbase-init Account Domain: N-H1-858383-10 Changed Attributes: SAM Account Name: cloudbase-init Display Name: cloudbase-init User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 10/12/2022 8:02:12 AM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x210 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614148Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:02:13 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1000 Account Name: cloudbase-init Account Domain: N-H1-858383-10 Logon ID: 0x2A938 User: Security ID: S-1-5-21-829555393-2678343407-944722937-1000 Account Name: cloudbase-init Account Domain: N-H1-858383-10 Process Information: Process ID: 0xe34 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe479800138240-921436483760003481614147Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:02:13 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1000 Account Name: cloudbase-init Account Domain: N-H1-858383-10 Logon ID: 0x2A938 User: Security ID: S-1-5-21-829555393-2678343407-944722937-1000 Account Name: cloudbase-init Account Domain: N-H1-858383-10 Process Information: Process ID: 0xe34 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe479800138240-921436483760003481614146Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:02:13 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account failed to log on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Type: 2 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: Administrator Account Domain: N-H1-858383-10 Failure Information: Failure Reason: The specified account's password has expired. Status: 0xC0000224 Sub Status: 0x0 Process Information: Caller Process ID: 0x26c Caller Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: N-H1-858383-10 Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462500125440-921886843722740531214145Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:02:12 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: S-1-5-21-829555393-2678343407-944722937-500 Account Name: Administrator Account Domain: N-H1-858383-10 Process Information: Process ID: 0xf90 Process Name: C:\Windows\System32\LogonUI.exe479800138240-921436483760003481614144Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:02:11 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x9dc Process Name: C:\Windows\System32\vmms.exe479900138260-921436483760003481614143Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:02:09 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x9dc Process Name: C:\Windows\System32\vmms.exe479900138260-921436483760003481614142Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:02:09 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614141Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:02:09 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614140Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:02:09 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614139Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:02:09 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614138Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:02:09 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x26c Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614137Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:02:07 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614136Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:02:05 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_ed954c31-dfcf-4e3d-96ad-f23d2622b4cd Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614135Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:02:05 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614134Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:02:05 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_ed954c31-dfcf-4e3d-96ad-f23d2622b4cd Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614133Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:02:05 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-829555393-2678343407-944722937-1000 Account Name: cloudbase-init Account Domain: N-H1-858383-10 Logon ID: 0x2A938 Privileges: SeAssignPrimaryTokenPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614132Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:02:05 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-829555393-2678343407-944722937-1000 Account Name: cloudbase-init Account Domain: N-H1-858383-10 Logon ID: 0x2A938 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: N-H1-858383-10 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614131Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:02:05 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: cloudbase-init Account Domain: N-H1-858383-10 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481614130Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:02:05 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: cloudbase-init Source Workstation: N-H1-858383-10 Error Code: 0x0477600143360-921436483760003481614129Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:02:05 AMdbd6bb76-de10-0001-b8bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoCredential ValidationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0505900122920-921436483760003481614128Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:02:04 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614127Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:02:04 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614126Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:02:04 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0506100122900-921436483760003481614125Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:02:04 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSystem IntegritySystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0505800122920-921436483760003481614124Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:02:04 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614123Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:02:04 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614122Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:02:04 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall service started successfully.502400122920-921436483760003481614121Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:02:03 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614120Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:02:03 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614119Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity8202512n-h1-858383-1010/12/2022 8:02:03 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x211A4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614118Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h1-858383-1010/12/2022 8:02:03 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614117Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h1-858383-1010/12/2022 8:02:02 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614116Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820900n-h1-858383-1010/12/2022 8:02:02 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614115Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:02:02 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614114Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:02:02 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614113Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-1010/12/2022 8:02:02 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614112Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-1010/12/2022 8:02:02 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614111Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-1010/12/2022 8:02:02 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614110Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-1010/12/2022 8:02:02 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614109Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:02:02 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614108Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:02:02 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x26c Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614107Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:02:02 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall Driver started successfully.503300122920-921436483760003481614106Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4212n-h1-858383-1010/12/2022 8:02:02 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x26c Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614105Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-1010/12/2022 8:02:01 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x26c Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614104Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:02:01 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x7fc Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614103Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:02:01 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x7fc Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614102Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:02:01 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x7fc Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614101Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:02:01 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x7fc Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614100Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:02:01 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x7fc Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614099Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:02:01 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x7fc Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614098Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:02:01 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614097Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:02:01 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614096Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:02:01 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x7fc Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614095Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-1010/12/2022 8:02:01 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614094Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:02:01 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x7fc Process Name: C:\Windows\System32\VSSVC.exe479900138260-921436483760003481614093Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:02:01 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x544 Process Name: C:\Windows\System32\svchost.exe479900138260-921436483760003481614092Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:02:01 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614091Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-858383-1010/12/2022 8:02:01 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614090Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-858383-1010/12/2022 8:02:01 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x5a8 Name: C:\Windows\System32\svchost.exe Previous Time: ?2022?-?10?-?12T08:02:01.630709300Z New Time: ?2022?-?10?-?12T08:02:01.092000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.461610122880-921436483760003481614089Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4316n-h1-858383-1010/12/2022 8:02:01 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity State ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614088Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:02:01 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614087Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:02:01 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614086Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:02:01 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614085Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:02:01 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614084Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:02:01 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481614083Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:02:01 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Temp\winre\ExtractedFromWim Handle ID: 0x5e8 Process Information: Process ID: 0x51c Process Name: C:\Windows\System32\oobe\msoobe.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)490700135680-921436483760003481614082Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4368n-h1-858383-1010/12/2022 8:02:01 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoAudit Policy ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled global group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-21-829555393-2678343407-944722937-513 Group Name: None Group Domain: N-H1-858383-10 Changed Attributes: SAM Account Name: None SID History: - Additional Information: Privileges: -473700138260-921436483760003481614081Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-829555393-2678343407-944722937-513 Account Domain: N-H1-858383-10 Old Account Name: None New Account Name: None Additional Information: Privileges: -478100138240-921436483760003481614080Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled global group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-21-829555393-2678343407-944722937-513 Group Name: None Group Domain: N-H1-858383-10 Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473700138260-921436483760003481614079Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-829555393-2678343407-944722937-503 Account Name: DefaultAccount Account Domain: N-H1-858383-10 Changed Attributes: SAM Account Name: DefaultAccount Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614078Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-829555393-2678343407-944722937-503 Account Name: DefaultAccount Account Domain: N-H1-858383-10 Changed Attributes: SAM Account Name: DefaultAccount Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614077Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-829555393-2678343407-944722937-501 Account Name: Guest Account Domain: N-H1-858383-10 Changed Attributes: SAM Account Name: Guest Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614076Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-829555393-2678343407-944722937-501 Account Name: Guest Account Domain: N-H1-858383-10 Changed Attributes: SAM Account Name: Guest Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614075Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-829555393-2678343407-944722937-500 Account Name: Administrator Account Domain: N-H1-858383-10 Changed Attributes: SAM Account Name: Administrator Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x10 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614074Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-829555393-2678343407-944722937-500 Account Name: Administrator Account Domain: N-H1-858383-10 Changed Attributes: SAM Account Name: Administrator Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x10 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481614073Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-581 Group Name: System Managed Accounts Group Group Domain: Builtin Changed Attributes: SAM Account Name: System Managed Accounts Group SID History: - Additional Information: Privileges: -473500138260-921436483760003481614072Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-581 Account Domain: Builtin Old Account Name: System Managed Accounts Group New Account Name: System Managed Accounts Group Additional Information: Privileges: -478100138240-921436483760003481614071Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-581 Group Name: System Managed Accounts Group Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614070Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-582 Group Name: Storage Replica Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Storage Replica Administrators SID History: - Additional Information: Privileges: -473500138260-921436483760003481614069Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-582 Account Domain: Builtin Old Account Name: Storage Replica Administrators New Account Name: Storage Replica Administrators Additional Information: Privileges: -478100138240-921436483760003481614068Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-582 Group Name: Storage Replica Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614067Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-580 Group Name: Remote Management Users Group Domain: Builtin Changed Attributes: SAM Account Name: Remote Management Users SID History: - Additional Information: Privileges: -473500138260-921436483760003481614066Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-580 Account Domain: Builtin Old Account Name: Remote Management Users New Account Name: Remote Management Users Additional Information: Privileges: -478100138240-921436483760003481614065Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-580 Group Name: Remote Management Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614064Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-579 Group Name: Access Control Assistance Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Access Control Assistance Operators SID History: - Additional Information: Privileges: -473500138260-921436483760003481614063Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-579 Account Domain: Builtin Old Account Name: Access Control Assistance Operators New Account Name: Access Control Assistance Operators Additional Information: Privileges: -478100138240-921436483760003481614062Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-579 Group Name: Access Control Assistance Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614061Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-578 Group Name: Hyper-V Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Hyper-V Administrators SID History: - Additional Information: Privileges: -473500138260-921436483760003481614060Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-578 Account Domain: Builtin Old Account Name: Hyper-V Administrators New Account Name: Hyper-V Administrators Additional Information: Privileges: -478100138240-921436483760003481614059Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-578 Group Name: Hyper-V Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614058Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-577 Group Name: RDS Management Servers Group Domain: Builtin Changed Attributes: SAM Account Name: RDS Management Servers SID History: - Additional Information: Privileges: -473500138260-921436483760003481614057Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-577 Account Domain: Builtin Old Account Name: RDS Management Servers New Account Name: RDS Management Servers Additional Information: Privileges: -478100138240-921436483760003481614056Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-577 Group Name: RDS Management Servers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614055Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-576 Group Name: RDS Endpoint Servers Group Domain: Builtin Changed Attributes: SAM Account Name: RDS Endpoint Servers SID History: - Additional Information: Privileges: -473500138260-921436483760003481614054Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-576 Account Domain: Builtin Old Account Name: RDS Endpoint Servers New Account Name: RDS Endpoint Servers Additional Information: Privileges: -478100138240-921436483760003481614053Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-576 Group Name: RDS Endpoint Servers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614052Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-575 Group Name: RDS Remote Access Servers Group Domain: Builtin Changed Attributes: SAM Account Name: RDS Remote Access Servers SID History: - Additional Information: Privileges: -473500138260-921436483760003481614051Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-575 Account Domain: Builtin Old Account Name: RDS Remote Access Servers New Account Name: RDS Remote Access Servers Additional Information: Privileges: -478100138240-921436483760003481614050Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-575 Group Name: RDS Remote Access Servers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614049Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-574 Group Name: Certificate Service DCOM Access Group Domain: Builtin Changed Attributes: SAM Account Name: Certificate Service DCOM Access SID History: - Additional Information: Privileges: -473500138260-921436483760003481614048Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-574 Account Domain: Builtin Old Account Name: Certificate Service DCOM Access New Account Name: Certificate Service DCOM Access Additional Information: Privileges: -478100138240-921436483760003481614047Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-574 Group Name: Certificate Service DCOM Access Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614046Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-573 Group Name: Event Log Readers Group Domain: Builtin Changed Attributes: SAM Account Name: Event Log Readers SID History: - Additional Information: Privileges: -473500138260-921436483760003481614045Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-573 Account Domain: Builtin Old Account Name: Event Log Readers New Account Name: Event Log Readers Additional Information: Privileges: -478100138240-921436483760003481614044Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-573 Group Name: Event Log Readers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614043Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-569 Group Name: Cryptographic Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Cryptographic Operators SID History: - Additional Information: Privileges: -473500138260-921436483760003481614042Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-569 Account Domain: Builtin Old Account Name: Cryptographic Operators New Account Name: Cryptographic Operators Additional Information: Privileges: -478100138240-921436483760003481614041Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-569 Group Name: Cryptographic Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614040Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-568 Group Name: IIS_IUSRS Group Domain: Builtin Changed Attributes: SAM Account Name: IIS_IUSRS SID History: - Additional Information: Privileges: -473500138260-921436483760003481614039Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-568 Account Domain: Builtin Old Account Name: IIS_IUSRS New Account Name: IIS_IUSRS Additional Information: Privileges: -478100138240-921436483760003481614038Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-568 Group Name: IIS_IUSRS Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614037Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-562 Group Name: Distributed COM Users Group Domain: Builtin Changed Attributes: SAM Account Name: Distributed COM Users SID History: - Additional Information: Privileges: -473500138260-921436483760003481614036Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-562 Account Domain: Builtin Old Account Name: Distributed COM Users New Account Name: Distributed COM Users Additional Information: Privileges: -478100138240-921436483760003481614035Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-562 Group Name: Distributed COM Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614034Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-559 Group Name: Performance Log Users Group Domain: Builtin Changed Attributes: SAM Account Name: Performance Log Users SID History: - Additional Information: Privileges: -473500138260-921436483760003481614033Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-559 Account Domain: Builtin Old Account Name: Performance Log Users New Account Name: Performance Log Users Additional Information: Privileges: -478100138240-921436483760003481614032Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-559 Group Name: Performance Log Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614031Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-558 Group Name: Performance Monitor Users Group Domain: Builtin Changed Attributes: SAM Account Name: Performance Monitor Users SID History: - Additional Information: Privileges: -473500138260-921436483760003481614030Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-558 Account Domain: Builtin Old Account Name: Performance Monitor Users New Account Name: Performance Monitor Users Additional Information: Privileges: -478100138240-921436483760003481614029Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-558 Group Name: Performance Monitor Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614028Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-547 Group Name: Power Users Group Domain: Builtin Changed Attributes: SAM Account Name: Power Users SID History: - Additional Information: Privileges: -473500138260-921436483760003481614027Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-547 Account Domain: Builtin Old Account Name: Power Users New Account Name: Power Users Additional Information: Privileges: -478100138240-921436483760003481614026Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-547 Group Name: Power Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614025Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-556 Group Name: Network Configuration Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Network Configuration Operators SID History: - Additional Information: Privileges: -473500138260-921436483760003481614024Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-556 Account Domain: Builtin Old Account Name: Network Configuration Operators New Account Name: Network Configuration Operators Additional Information: Privileges: -478100138240-921436483760003481614023Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-556 Group Name: Network Configuration Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614022Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-555 Group Name: Remote Desktop Users Group Domain: Builtin Changed Attributes: SAM Account Name: Remote Desktop Users SID History: - Additional Information: Privileges: -473500138260-921436483760003481614021Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-555 Account Domain: Builtin Old Account Name: Remote Desktop Users New Account Name: Remote Desktop Users Additional Information: Privileges: -478100138240-921436483760003481614020Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-555 Group Name: Remote Desktop Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614019Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-552 Group Name: Replicator Group Domain: Builtin Changed Attributes: SAM Account Name: Replicator SID History: - Additional Information: Privileges: -473500138260-921436483760003481614018Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-552 Account Domain: Builtin Old Account Name: Replicator New Account Name: Replicator Additional Information: Privileges: -478100138240-921436483760003481614017Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-552 Group Name: Replicator Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614016Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Backup Operators SID History: - Additional Information: Privileges: -473500138260-921436483760003481614015Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-551 Account Domain: Builtin Old Account Name: Backup Operators New Account Name: Backup Operators Additional Information: Privileges: -478100138240-921436483760003481614014Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614013Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-546 Group Name: Guests Group Domain: Builtin Changed Attributes: SAM Account Name: Guests SID History: - Additional Information: Privileges: -473500138260-921436483760003481614012Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-546 Account Domain: Builtin Old Account Name: Guests New Account Name: Guests Additional Information: Privileges: -478100138240-921436483760003481614011Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-546 Group Name: Guests Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614010Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Changed Attributes: SAM Account Name: Users SID History: - Additional Information: Privileges: -473500138260-921436483760003481614009Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-545 Account Domain: Builtin Old Account Name: Users New Account Name: Users Additional Information: Privileges: -478100138240-921436483760003481614008Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614007Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Administrators SID History: - Additional Information: Privileges: -473500138260-921436483760003481614006Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-544 Account Domain: Builtin Old Account Name: Administrators New Account Name: Administrators Additional Information: Privileges: -478100138240-921436483760003481614005Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614004Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-550 Group Name: Print Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Print Operators SID History: - Additional Information: Privileges: -473500138260-921436483760003481614003Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-550 Account Domain: Builtin Old Account Name: Print Operators New Account Name: Print Operators Additional Information: Privileges: -478100138240-921436483760003481614002Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-550 Group Name: Print Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -473500138260-921436483760003481614001Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820860n-h1-858383-1010/12/2022 8:01:59 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity Group ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481614000Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-1010/12/2022 8:01:48 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613999Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-1010/12/2022 8:01:48 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613998Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-1010/12/2022 8:01:48 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613997Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-1010/12/2022 8:01:48 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege467200125480-921436483760003481613996Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-1010/12/2022 8:01:48 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613995Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-1010/12/2022 8:01:48 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613994Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-1010/12/2022 8:01:47 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613993Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-1010/12/2022 8:01:47 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xB5DB Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege467200125480-921436483760003481613992Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-1010/12/2022 8:01:47 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xB5C9 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege467200125480-921436483760003481613991Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-1010/12/2022 8:01:47 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xB5DB Linked Logon ID: 0xB5C9 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613990Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-1010/12/2022 8:01:47 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xB5C9 Linked Logon ID: 0xB5DB Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613989Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-1010/12/2022 8:01:47 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481613988Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-1010/12/2022 8:01:47 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege467200125480-921436483760003481613987Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-1010/12/2022 8:01:47 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613986Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820904n-h1-858383-1010/12/2022 8:01:47 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613985Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-858383-1010/12/2022 8:01:46 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: N-H1-858383-10$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613984Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820852n-h1-858383-1010/12/2022 8:01:46 AMdbd6bb76-de10-0002-77bb-d6db10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x6202490200135680-921436483760003481613983Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820868n-h1-858383-1010/12/2022 8:01:46 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoAudit Policy ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613982Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820824n-h1-858383-1010/12/2022 8:01:45 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.460800122880-921436483760003481613981Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity820824n-h1-858383-1010/12/2022 8:01:45 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity State ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x334 New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2b4 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613980Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity432n-h1-858383-1010/12/2022 8:01:45 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x324 New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2b4 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613979Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity432n-h1-858383-1010/12/2022 8:01:45 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2dc New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x294 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613978Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity432n-h1-858383-1010/12/2022 8:01:44 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2b4 New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x248 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613977Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity432n-h1-858383-1010/12/2022 8:01:44 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x29c New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x294 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613976Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity432n-h1-858383-1010/12/2022 8:01:44 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x294 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1d8 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613975Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity432n-h1-858383-1010/12/2022 8:01:44 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x254 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x248 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613974Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136n-h1-858383-1010/12/2022 8:01:44 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x248 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1d8 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613973Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136n-h1-858383-1010/12/2022 8:01:44 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x218 New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1d8 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613972Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136n-h1-858383-1010/12/2022 8:01:41 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d8 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613971Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4368n-h1-858383-1010/12/2022 8:01:41 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d4 New Process Name: Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613970Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136n-h1-858383-1010/12/2022 8:01:41 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Auto Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Auto HyperVisor Debugging: No482600135730-921436483760003481613969Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136n-h1-858383-1010/12/2022 8:01:41 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther Policy Change EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x5cc Name: C:\Windows\System32\svchost.exe Previous Time: ?2022?-?10?-?12T08:01:30.358499300Z New Time: ?2022?-?10?-?12T08:01:30.356000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.461610122880-921436483760003481613968Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136WIN-5T344G8GM1H10/12/2022 8:01:30 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity State ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The event logging service has shut down.1100041030462069321768212889613967Microsoft-Windows-Eventlogfc65ddd8-d6ef-4962-83d5-6e5cfe9ce148Security13041540WIN-5T344G8GM1H10/12/2022 8:01:30 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoService shutdownSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613966Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828860WIN-5T344G8GM1H10/12/2022 8:01:26 AM9dfbb302-de10-0005-06b3-fb9d10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613965Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828860WIN-5T344G8GM1H10/12/2022 8:01:26 AM9dfbb302-de10-0005-06b3-fb9d10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-829555393-2678343407-944722937-1000 Account Name: cloudbase-init Account Domain: WIN-5T344G8GM1H472400138240-921436483760003481613964Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828868WIN-5T344G8GM1H10/12/2022 8:01:10 AM9dfbb302-de10-0005-06b3-fb9d10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-829555393-2678343407-944722937-1000 Account Name: cloudbase-init Account Domain: WIN-5T344G8GM1H Changed Attributes: SAM Account Name: cloudbase-init Display Name: cloudbase-init User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 10/12/2022 8:01:10 AM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x210 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481613963Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828868WIN-5T344G8GM1H10/12/2022 8:01:10 AM9dfbb302-de10-0005-06b3-fb9d10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: S-1-5-21-829555393-2678343407-944722937-1000 Account Name: cloudbase-init Account Domain: WIN-5T344G8GM1H Process Information: Process ID: 0xa38 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe479800138240-921436483760003481613962Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828868WIN-5T344G8GM1H10/12/2022 8:01:10 AM9dfbb302-de10-0005-06b3-fb9d10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: S-1-5-21-829555393-2678343407-944722937-1000 Account Name: cloudbase-init Account Domain: WIN-5T344G8GM1H Process Information: Process ID: 0xa38 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe479800138240-921436483760003481613961Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828868WIN-5T344G8GM1H10/12/2022 8:01:10 AM9dfbb302-de10-0005-06b3-fb9d10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Temp\winre\ExtractedFromWim Handle ID: 0x3a8 Process Information: Process ID: 0x4a4 Process Name: C:\Windows\System32\oobe\Setup.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)490700135680-921436483760003481613960Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4468WIN-5T344G8GM1H10/12/2022 8:00:44 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoAudit Policy ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613959Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828860WIN-5T344G8GM1H10/12/2022 8:00:32 AM9dfbb302-de10-0005-06b3-fb9d10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613958Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828860WIN-5T344G8GM1H10/12/2022 8:00:32 AM9dfbb302-de10-0005-06b3-fb9d10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall service started successfully.502400122920-921436483760003481613957Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828860WIN-5T344G8GM1H10/12/2022 8:00:32 AM9dfbb302-de10-0005-06b3-fb9d10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x634DB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613956Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828868WIN-5T344G8GM1H10/12/2022 8:00:31 AM9dfbb302-de10-0005-06b3-fb9d10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613955Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828900WIN-5T344G8GM1H10/12/2022 8:00:31 AM9dfbb302-de10-0005-06b3-fb9d10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613954Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828900WIN-5T344G8GM1H10/12/2022 8:00:31 AM9dfbb302-de10-0005-06b3-fb9d10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613953Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828860WIN-5T344G8GM1H10/12/2022 8:00:31 AM9dfbb302-de10-0005-06b3-fb9d10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613952Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828860WIN-5T344G8GM1H10/12/2022 8:00:31 AM9dfbb302-de10-0005-06b3-fb9d10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613951Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828860WIN-5T344G8GM1H10/12/2022 8:00:31 AM9dfbb302-de10-0005-06b3-fb9d10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613950Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828860WIN-5T344G8GM1H10/12/2022 8:00:31 AM9dfbb302-de10-0005-06b3-fb9d10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613949Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828868WIN-5T344G8GM1H10/12/2022 8:00:31 AM9dfbb302-de10-0005-06b3-fb9d10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613948Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828868WIN-5T344G8GM1H10/12/2022 8:00:31 AM9dfbb302-de10-0005-06b3-fb9d10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613947Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828868WIN-5T344G8GM1H10/12/2022 8:00:31 AM9dfbb302-de10-0005-06b3-fb9d10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613946Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828868WIN-5T344G8GM1H10/12/2022 8:00:31 AM9dfbb302-de10-0005-06b3-fb9d10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall Driver started successfully.503300122920-921436483760003481613945Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4228WIN-5T344G8GM1H10/12/2022 8:00:30 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther System EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613944Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828868WIN-5T344G8GM1H10/12/2022 8:00:30 AM9dfbb302-de10-0005-06b3-fb9d10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613943Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828868WIN-5T344G8GM1H10/12/2022 8:00:30 AM9dfbb302-de10-0005-06b3-fb9d10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613942Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828912WIN-5T344G8GM1H10/12/2022 8:00:30 AM9dfbb302-de10-0005-06b3-fb9d10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613941Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828912WIN-5T344G8GM1H10/12/2022 8:00:30 AM9dfbb302-de10-0005-06b3-fb9d10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x518 Name: C:\Windows\System32\svchost.exe Previous Time: ?2022?-?10?-?12T08:00:29.383793500Z New Time: ?2022?-?10?-?12T08:00:29.776000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.461610122880-921436483760003481613940Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity432WIN-5T344G8GM1H10/12/2022 8:00:29 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity State ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613939Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828912WIN-5T344G8GM1H10/12/2022 8:00:29 AM9dfbb302-de10-0005-06b3-fb9d10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613938Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828912WIN-5T344G8GM1H10/12/2022 8:00:29 AM9dfbb302-de10-0005-06b3-fb9d10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613937Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828900WIN-5T344G8GM1H10/12/2022 8:00:29 AM9dfbb302-de10-0005-06b3-fb9d10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613936Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828900WIN-5T344G8GM1H10/12/2022 8:00:29 AM9dfbb302-de10-0005-06b3-fb9d10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613935Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828900WIN-5T344G8GM1H10/12/2022 8:00:21 AM9dfbb302-de10-0005-06b3-fb9d10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613934Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828900WIN-5T344G8GM1H10/12/2022 8:00:21 AM9dfbb302-de10-0005-06b3-fb9d10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613933Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828900WIN-5T344G8GM1H10/12/2022 8:00:21 AM9dfbb302-de10-0005-06b3-fb9d10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613932Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828900WIN-5T344G8GM1H10/12/2022 8:00:21 AM9dfbb302-de10-0005-06b3-fb9d10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege467200125480-921436483760003481613931Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828900WIN-5T344G8GM1H10/12/2022 8:00:20 AM9dfbb302-de10-0005-06b3-fb9d10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613930Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828900WIN-5T344G8GM1H10/12/2022 8:00:20 AM9dfbb302-de10-0005-06b3-fb9d10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x5757D Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege467200125480-921436483760003481613929Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828900WIN-5T344G8GM1H10/12/2022 8:00:20 AM9dfbb302-de10-0005-06b3-fb9d10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x5756B Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege467200125480-921436483760003481613928Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828900WIN-5T344G8GM1H10/12/2022 8:00:20 AM9dfbb302-de10-0005-06b3-fb9d10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x5757D Linked Logon ID: 0x5756B Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613927Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828900WIN-5T344G8GM1H10/12/2022 8:00:20 AM9dfbb302-de10-0005-06b3-fb9d10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x5756B Linked Logon ID: 0x5757D Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613926Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828900WIN-5T344G8GM1H10/12/2022 8:00:20 AM9dfbb302-de10-0005-06b3-fb9d10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.464800125440-921436483760003481613925Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828900WIN-5T344G8GM1H10/12/2022 8:00:20 AM9dfbb302-de10-0005-06b3-fb9d10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613924Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828900WIN-5T344G8GM1H10/12/2022 8:00:20 AM9dfbb302-de10-0005-06b3-fb9d10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613923Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828900WIN-5T344G8GM1H10/12/2022 8:00:20 AM9dfbb302-de10-0005-06b3-fb9d10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege467200125480-921436483760003481613922Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828912WIN-5T344G8GM1H10/12/2022 8:00:20 AM9dfbb302-de10-0005-06b3-fb9d10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613921Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828912WIN-5T344G8GM1H10/12/2022 8:00:20 AM9dfbb302-de10-0005-06b3-fb9d10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613920Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828912WIN-5T344G8GM1H10/12/2022 8:00:19 AM9dfbb302-de10-0005-06b3-fb9d10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613919Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828912WIN-5T344G8GM1H10/12/2022 8:00:19 AM9dfbb302-de10-0005-06b3-fb9d10ded801securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x4FFFB490200135680-921436483760003481613918Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828872WIN-5T344G8GM1H10/12/2022 8:00:19 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoAudit Policy ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613917Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828832WIN-5T344G8GM1H10/12/2022 8:00:18 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.460800122880-921436483760003481613916Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity828832WIN-5T344G8GM1H10/12/2022 8:00:18 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity State ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x33c New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2bc Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613915Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4584WIN-5T344G8GM1H10/12/2022 8:00:18 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x32c New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2bc Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613914Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4564WIN-5T344G8GM1H10/12/2022 8:00:18 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2e4 New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x29c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613913Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4564WIN-5T344G8GM1H10/12/2022 8:00:17 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2bc New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x258 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613912Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4564WIN-5T344G8GM1H10/12/2022 8:00:17 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2a4 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x29c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613911Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4564WIN-5T344G8GM1H10/12/2022 8:00:17 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x29c New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1e4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613910Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4564WIN-5T344G8GM1H10/12/2022 8:00:17 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x264 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x258 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613909Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4468WIN-5T344G8GM1H10/12/2022 8:00:17 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x258 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1e4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613908Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4468WIN-5T344G8GM1H10/12/2022 8:00:17 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x238 New Process Name: C:\Windows\System32\setupcl.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1e4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613907Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4468WIN-5T344G8GM1H10/12/2022 8:00:00 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x208 New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1e4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613906Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4188WIN-5T344G8GM1H10/12/2022 7:59:58 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e4 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613905Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4468WIN-5T344G8GM1H10/12/2022 7:59:57 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e0 New Process Name: Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.468820133120-921436483760003481613904Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136WIN-5T344G8GM1H10/12/2022 7:59:57 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoProcess CreationSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Auto Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Auto HyperVisor Debugging: No482600135730-921436483760003481613903Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity4136WIN-5T344G8GM1H10/12/2022 7:59:57 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoOther Policy Change EventsSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x4dc Name: C:\Windows\System32\svchost.exe Previous Time: ?2018?-?01?-?19T09:48:13.164762500Z New Time: ?2018?-?01?-?19T09:48:13.152000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.461610122880-921436483760003481613902Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity41980WIN-5T344G8GM1H1/19/2018 9:48:13 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSecurity State ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The event logging service has shut down.1100041030462069321768212889613901Microsoft-Windows-Eventlogfc65ddd8-d6ef-4962-83d5-6e5cfe9ce148Security4361144WIN-5T344G8GM1H1/19/2018 9:48:13 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoService shutdownSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
User initiated logoff: Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.464700125450-921436483760003481613900Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664716WIN-5T344G8GM1H1/19/2018 9:48:12 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogoffSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613899Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity6643024WIN-5T344G8GM1H1/19/2018 9:48:11 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x290 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613898Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity6643024WIN-5T344G8GM1H1/19/2018 9:48:11 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613897Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664756WIN-5T344G8GM1H1/19/2018 9:48:10 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x290 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613896Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664756WIN-5T344G8GM1H1/19/2018 9:48:10 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Domain Policy was changed. Change Type: Password Policy modified Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 Domain: Domain Name: WIN-5T344G8GM1H Domain ID: S-1-5-21-416071247-492812682-1642729393 Changed Attributes: Min. Password Age: Max. Password Age: Force Logoff: Lockout Threshold: Lockout Observation Window: Lockout Duration: Password Properties: Min. Password Length: Password History Length: - Machine Account Quota: - Mixed Domain Mode: - Domain Behavior Version: - OEM Information: 1 Additional Information: Privileges: -473900135690-921436483760003481613895Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664716WIN-5T344G8GM1H1/19/2018 9:47:34 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoAuthentication Policy ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 Target Account: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Changed Attributes: SAM Account Name: Administrator Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x10 User Account Control: 'Don't Expire Password' - Disabled User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481613894Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664716WIN-5T344G8GM1H1/19/2018 9:47:34 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 Target Account: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H472400138240-921436483760003481613893Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664716WIN-5T344G8GM1H1/19/2018 9:47:34 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 Target Account: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Changed Attributes: SAM Account Name: Administrator Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 1/19/2018 9:47:34 AM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x210 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -473800138240-921436483760003481613892Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664716WIN-5T344G8GM1H1/19/2018 9:47:34 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Domain Policy was changed. Change Type: Password Policy modified Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 Domain: Domain Name: WIN-5T344G8GM1H Domain ID: S-1-5-21-416071247-492812682-1642729393 Changed Attributes: Min. Password Age: ?? Max. Password Age: Force Logoff: ?? Lockout Threshold: Lockout Observation Window: - Lockout Duration: - Password Properties: - Min. Password Length: - Password History Length: 0 Machine Account Quota: 0 Mixed Domain Mode: 0 Domain Behavior Version: - OEM Information: - Additional Information: Privileges: -473900135690-921436483760003481613891Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664716WIN-5T344G8GM1H1/19/2018 9:47:34 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoAuthentication Policy ChangeSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 User: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Process Information: Process ID: 0xfac Process Name: C:\Windows\System32\Sysprep\sysprep.exe479800138240-921436483760003481613890Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664716WIN-5T344G8GM1H1/19/2018 9:47:34 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoUser Account ManagementSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege467200125480-921436483760003481613889Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664716WIN-5T344G8GM1H1/19/2018 9:47:33 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoSpecial LogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x290 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.462420125440-921436483760003481613888Microsoft-Windows-Security-Auditing54849625-5478-4994-a5ba-3e3b0328c30dSecurity664716WIN-5T344G8GM1H1/19/2018 9:47:33 AMad8d0f9c-9109-0000-b10f-8dad0991d301securitySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLogonSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The audit log was cleared. Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Domain Name: WIN-5T344G8GM1H Logon ID: 0x1F0E31102041040462069321768212889613887Microsoft-Windows-Eventlogfc65ddd8-d6ef-4962-83d5-6e5cfe9ce148Security4361136WIN-5T344G8GM1H1/19/2018 9:47:33 AMsecuritySystem.UInt32[]System.Diagnostics.Eventing.Reader.EventBookmarkInformationInfoLog clearSystem.Collections.ObjectModel.ReadOnlyCollection`1[System.String]System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]